0% found this document useful (0 votes)

8 views304 pages

549-Final QAIP Guide

The Quality Assurance and Improvement Program (QAIP) Guide for Public Sector Entities in Tanzania outlines the framework and requirements for implementing quality assurance in internal audit activities. It aims to enhance accountability, transparency, and efficiency in public sector audits, aligning with international standards and providing a resource for capacity building. The guide includes detailed methodologies, roles, and responsibilities for stakeholders, and is intended to be used alongside other IAGD documents.

Uploaded by

Frank Kindimba

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

8 views304 pages

549-Final QAIP Guide

Uploaded by

Frank Kindimba

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 304

THE UNITED REPUBLIC OF TANZANIA

MINISTRY OF FINANCE

INTERNAL AUDITOR GENERAL DIVISION

QUALITY ASSURANCE AND IMPROVEMENT PROGRAM GUIDE

FOR PUBLIC SECTOR ENTITIES

REVISED EDITION

FINAL

October 2023

Disclaimer: This Guide should be used alongside other approved policy and procedure
documents for the IAGD. In addition, it is a living document which is subject to change
upon consultation with the relevant stakeholders.
QAIP Guide Page | ii
QAIP Guide Page | iii
Table of Contents

Foreword ......................................................................... Error! Bookmark not defined.

Preface .............................................................................................................................ii
Table of Contents ............................................................................................................ iii
List of Figures ..................................................................................................................vi
Abbreviations and Acronyms .......................................................................................... vii
Definition of Terms ........................................................................................................ viii
Chapter 1: Introduction .................................................................................................... 1
1.1 Overview ............................................................................................................ 1
1.2 Background of the QAIP Guide .......................................................................... 1
1.3 Purpose of the QAIP Guide ................................................................................ 2
1.4 Objectives of the QAIP Guide ............................................................................ 2
1.5 Structure of the QAIP Guide............................................................................... 3
1.6 Review and Update of the QAIP Guide .............................................................. 4
Chapter 2 Establishment of the Quality Assurance and Improvement Program .............. 5
2.1 Overview ............................................................................................................ 5
2.2 Legal Basis......................................................................................................... 5
2.3 Relevant IPPF Guidance .................................................................................... 5
2.4 Foundation of Quality ......................................................................................... 7
2.5 The QAIP Framework ...................................................................................... 10
2.6. Roles and Responsibilities of Key Stakeholders in the Implementation of QAIP
15
Chapter 3: Internal Quality Assessment ........................................................................ 18
3.1 Overview .......................................................................................................... 18
3.2 Ongoing Monitoring .......................................................................................... 18
3.3 Periodic Self-Assessments............................................................................... 20
Chapter 4: Full External Assessment ............................................................................ 30
4.1 Overview .......................................................................................................... 30
4.2 Frequency of External Assessment .................................................................. 30
4.3 Planning ........................................................................................................... 30

QAIP Guide Page | iv

4.4 Off-site work ..................................................................................................... 35
4.5 Field Work ........................................................................................................ 36
4.6 Evaluate and Report ........................................................................................ 39
Chapter 5: Self-Assessment with Independent Validation ............................................. 43
5.1 Overview .......................................................................................................... 43
5.2 Defining the scope and approach to the assessment ....................................... 43
5.3 Selecting the Independent External Assessor for a Self-Assessment with
Independent Validation .............................................................................................. 44
5.4 Communication and Coordination with the External Validation Assessor ........ 45
5.5 Work to be completed before fieldwork ............................................................ 46
5.6 Work to be during the fieldwork ........................................................................ 47
5.7 Reporting and Follow-Up ................................................................................. 48
Chapter 6: QAIP Monitoring and Follow-up ................................................................... 49
6.1. Overview .......................................................................................................... 49
6.2. Reporting and Follow-Up activities ................................................................... 49
6.3. Internal Assessment Monitoring and Follow-Up activities ................................ 50
6.4. External Assessment Monitoring and Follow-Up activities ............................... 51
Chapter 7: Use of Conformance Statement and Disclosure of Non-conformance ........ 52
7.1. Overview .......................................................................................................... 52
7.2. Proper use of Conformance Statement ............................................................ 52
7.3. Disclosure of Non-conformance ....................................................................... 54
Appendices ................................................................................................................... 55
Appendix 1 – Reference Documents ......................................................................... 55
Appendix 2 – Quality Assurance and Improvement Program Tools and Checklists ... 56
Appendix 2.1 Planning Tools and Checklists ............................................................. 56
Appendix 2.2 Survey Tools ...................................................................................... 102
Appendix 2.3 Interview Guides ................................................................................ 114
Appendix 2.4 Assessment/Rating Tools .................................................................. 158
Appendix 2.5 Evaluation Summaries ....................................................................... 237
Appendix 2.6 Ongoing Monitoring Review Questions .............................................. 284
Appendix 2.7 Sample Reporting Tools ..................................................................... 289

QAIP Guide Page | v

List of Figures
Figure 1: Coverage of various aspects of the Internal Audit Activity ............................... 9
Figure 2: Illustrative Quality Assurance and Improvement Framework: Source, IPPF
QAIP Practice Guide ..................................................................................................... 10

QAIP Guide Page | vi

Abbreviations and Acronyms

CAE Chief Audit Executive

CEO Chief Executive Officer
CFO Chief Finance Officer
CIA Certified Internal Auditor
CRMA Certification in Risk Management Assurance
CQA Certified Quality Auditor
EU European Union
GTAG Global Technology Audit Guide
IAA Internal Audit Activity
IAGD Internal Auditor General’s Division

IIA Institute of Internal Auditors

IIASB International Internal Audit Standards Board

IPPF International Professional Practices Framework

KPIs Key Performance Indicators

LGAs Local Government Authorities

MDAs Ministries, Departments and Agencies

MoF Ministry of Finance

PSEs Public Service Entities

RCM Risk and Control Matrix

QAIP Quality Assurance and Improvement Program

QAIP Guide Page | vii

Definition of Terms

The internal audit activity adds value to the PSE (and its
stakeholders) when it provides objective and relevant assurance,
Add Value
and contributes to the effectiveness and efficiency of governance,
risk management, and control processes.

An objective examination of evidence for the purpose of providing

Assurance
an independent assessment on governance, risk management
Activity
and control processes for the organization.

An operating committee of the Governing Body charged with

oversight of the PSE’s internal controls, financial reporting and
Audit disclosure. Many Audit Committees also have oversight of
Committee regulatory compliance and risk management activities, unless the
role is assigned to a separate Board risk and compliance
committee.

A Board is the PSE’s governing body, such as a Board of

directors, supervisory Board, head of an agency or legislative
Board body, Board of governors or trustees, or any other designated
body of the organisation, including the Audit Committee to whom
the chief audit executive may functionally report.

The Code of Ethics are principles relevant to the profession and

practice of internal auditing and Rules of Conduct that describe
Code of Ethics behavior expected of internal auditors. The purpose of the Code
of Ethics is to promote an ethical culture in the global profession
of internal auditing.

Chief audit executive describes a person in a senior position

responsible for effectively managing the internal audit activity in
accordance with the internal audit charter and the Definition of
Internal Auditing, the Code of Ethics, and the Standards. The
chief audit executive or others reporting to the chief audit
Chief Audit
executive will have appropriate professional certifications and
Executive
qualifications. The specific job title of the chief audit executive
may vary across PSE’s, i.e., head of internal auditor (i.e.,
Regional Internal Auditor, Municipal Internal Auditor, Chief
Internal Auditor, Treasury Internal Auditor, etc.), director of
internal audit, etc.

QAIP Guide Page | viii

Any action taken by management, the Board, and other parties to
Control manage risk and increase likelihood that established objectives
and goals will be achieved.

Advisory and related client service activities, the nature and

scope of which are agreed with the client, are intended to add
Consulting
value and improve an organization’s governance, risk
Services
management and control processes without the internal auditor
assuming management responsibility.

The freedom from conditions that threaten the ability of the

internal audit activity to carry out internal audit responsibilities in
Independence
an unbiased manner.

Refers to internal audit functions, divisions, directorates,

Internal Audit
departments, and units in public sector entities. It may vary across
Activity
different PSEs.

Any illegal act characterized by deceit, concealment, or violation

of trust. These acts are not dependent upon the threat of violence
or physical force. Frauds are perpetrated by parties and
Fraud
organizations to obtain money, property, or services; to avoid
payment or loss of services; or to secure personal or business
advantage.

The combination of processes and structures implemented by the

Governance Board to inform, direct, manage, and monitor the activities of the
organization toward the achievement of its objectives.

An unbiased mental attitude that allows internal auditors to

perform engagements in such a manner that they believe in their
Objectivity work product and that no quality compromises are made.
Objectivity requires that internal auditors do not subordinate their
judgment on audit matters to others.

A body of persons, whether or not corporate established by or

under any written law, other than the Companies Act, whose
functions are of a public nature and are exercised in furtherance
Public Service of the public policy determined by the Government. They include
Entity Ministries, Departments and Agencies (MDAs), local government
authorities (LGAs), publicly owned businesses, publicly controlled
or publicly funded agencies, enterprises and other entities that
deliver public programs, goods or services. However, it should

QAIP Guide Page | ix

also include corporate established under Companies Act in which
the government has shareholding. It includes all entities under
Treasury Registrar.

It is a program developed in line with International Professional

Practices Framework (IPPF) which involves internal and external
assessment of the entire spectrum of audit and consulting work
performed by the internal audit activity. The QAIP measures
Quality
whether internal audit is meeting its own objectives, as well as
Assurance
those of the broader organization. These assessments are
Improvement
composed of rigorous, comprehensive processes; continuous
Program
supervision and testing of internal audit work; and assessment of
(QAIP)
conformance with the Definition of Internal Auditing, the Code of
Ethics, and the Standards. A QAIP also concludes on the quality
of the internal audit activity and lead to recommendations for
appropriate improvements.

The possibility of an event occurring that will have an impact on

Risk the achievement of objectives. Risk is measured in terms of
impact and likelihood.

This involves taking action to reduce the likelihood or impact of a

Risk
risk event. It is also a set of coordinated activities to direct and
Management
control a PSE with regard to risk.

The procedures and operations by mean of which an

Systems
organization’s transactions and events are affected and recorded.

A professional pronouncement promulgated by the International

Internal Audit Standards Board (IIASB) that delineates the
requirements for performing a broad range of internal audit
activities, and for evaluating internal audit performance. The
Standard(s)
Standards are the central criteria that define the attributes and
characteristics of performance for an internal audit activity,
including the requirements for a QAIP.

Refers to the group of executives and leaders within a Public

Sector Entity who hold the highest positions of authority and
Senior
responsibility. This includes heads of functions, heads of
Management
divisions, heads of directors, heads of departments and heads of
units and it may vary across different PSEs.

QAIP Guide Page | x

Chapter 1: Introduction

1.1 Overview

This chapter provides an overview, mandate and background to Quality Assurance and
Improvement Program (QAIP) for Public Sector Entities (PSEs). Furthermore, the chapter
provides the purpose, objectives, structure and arrangements for review and updates to
the Guide.

1.2 Background of the QAIP Guide

The Internal Auditor General Division (IAGD) is one of the divisions within the Ministry of
Finance (MoF), established through the Public Finance Act Cap 348, Part V with the
mandate to provide among other tasks, strategic and technical guidance to the internal
audit units of Tanzania's public sector entities. Further, as per section 32 Sub- Section
(1) Paragraph (a) of the Public Finance Act, Internal Auditor General (IAG) is responsible
to the Paymaster General for developing internal audit policies, rules, circulars, and
guidelines for the performance of the internal audit activities. In order to execute its
mandate, the IAGD developed the Quality Assurance and Improvement Program Manual
(2012) in line with the provisions of International Standards for the Professional Practice
of Internal Auditing and other elements of the International Professional Practices
Framework (IPPF).The IAGD has also formulated a Strategy for further Development of
the Internal Audit System in the Public Sector of Tanzania of 2019 as well as a Capacity
Building Concept of 2022 which outlined the need for development of dedicated
guidelines and manuals for IAGD in specific areas.

IAGD developed the first Manual in 2012. Since then, several changes and developments
have taken place with the key one being reviews and updates to the IPPF. This Guide
has been prepared in alignment with the most updated provisions of the IPPF and the
Internal Audit Guide for Public Sector Entities. The revision of the Guide will further
strengthen the IAGD’s goal of ensuring the improvement of accountability, transparency
and efficiency in the public sector internal audit activities.

QAIP Guide Page | 1

1.3 Purpose of the QAIP Guide

The purpose of this Guide is to establish minimum requirements for implementing quality
assurance and improvement programs for optimal operation of internal audit activities in
Public Sector Entities. This Guide will enable the evaluation of the internal activities in
PSEs in conformance with the International Standards for the Professional Practice of
Internal Auditing and an evaluation of whether internal auditors apply the Code of Ethics.
The Guide will also provide guidance to PSEs to assess the efficiency and effectiveness
of the internal audit activity and identify opportunities for improvement. This will result in
value addition by the internal audit activities and improvement of public service delivery
in the PSEs. The Guide should be read together with other IAGD’s guidance documents
and manuals including the Internal Audit Guide for Public Sector Entities.

1.4 Objectives of the QAIP Guide

The Guide describes the application of the International Standards for the Professional
Practice of Internal Auditing in implementation of quality assurance and improvement
programs. Objectives of the QAIP Manual are to:

a) Outline the applicable internal audit quality assurance and improvement

standards;
b) Describe the detailed approach and methodology and guidance documentation for
implementation of internal audit QAIP in PSEs;
c) Serve as reference and training resource on the QAIP to the Public Sector Entities;
d) Improvement of PSEs capacity in QAIP; and
e) Provide guidance for the development of PSE specific QAIP manuals.

QAIP Guide Page | 2

1.5 Structure of the QAIP Guide

This Guide is divided into seven (7) chapters and various appendices as summarised in
the table below:-
Table 1: Structure of the Guide

# Chapter Description
1 Chapter 1: Introduction Background, purpose, objectives, structure, review
and update to the Guide.
2 Chapter 2: Establishment of the Relevant IPPF guidance, quality as the foundation
Quality Assurance and Improvement for QAIP, QAIP framework, overall roles and
Program. responsibilities for key stakeholders in the
implementation of QAIP.
3 Chapter 3: Internal Quality Ongoing monitoring, periodic self-assessment
Assessment. (planning, off-site work, field work, evaluation and
report).
4 Chapter 4: Full External Assessment Planning, off-site work, field work, evaluation and
reporting.
5 Chapter 5: Self-Assessment with Defining the scope of the assessment, Selecting
Independent Validation. the independent external assessor,
communication and coordination with the external
validation assessor, work to be completed before
fieldwork, reporting and follow up.
6 Chapter 6: Monitoring and follow up Monitoring QAIP implementation, Follow up of
QAIP activities.
7 Chapter 7: Use of Conformance Proper use of conformance statement and
Statement and Disclosure of Non- Disclosure of non-conformance.
conformance
8 Appendices: Reference Documents,
• Appendix 1 Quality Assurance and Improvement Program
• Appendix 2 Tools and Checklist

QAIP Guide Page | 3

1.6 Review and Update of the QAIP Guide

While the IAGD, shall have the overall responsibility for the review and update of the QAIP
Guide at least once every three years, the QAIP Guide shall be reviewed and refined on
needs basis in consultation with relevant stakeholders. In addition, revisions to the QAIP
Guide may also be necessitated by the following conditions:

a) Relevant changes in the legislation relating to QAIP in the internal audit practice in
the United Republic of Tanzania;
b) Reviews and updates to the IPPF; and
c) Any other relevant changes.

All proposed changes to the QAIP Guide must be adequately documented for future
reference and they must also be reviewed and approved by the IAG before adoption.
Documentation of the changes should include version number, effective date and main
areas of change.

QAIP Guide Page | 4

Chapter 2 Establishment of the Quality Assurance and Improvement
Program

2.1 Overview

This chapter outlines the context for establishment of the QAIP. It mainly articulates the
relevant IPPF guidance and quality as the foundation for QAIP. The chapter also outlines
the QAIP framework and summarises the overall roles and responsibilities of key
stakeholders in the implementation of QAIP.

2.2 Legal Basis

The Ministry of Finance through the IAGD issues this QAIP Guide for PSEs in line with
Section 32 Sub-section (1) of the Public Finance Act which states that the Internal Auditor
General shall be responsible for developing internal audit policies, rules, standards,
manuals, circulars, and guidelines. The QAIP Guide replaces the QAIP manual, 2012 and
it is geared towards strengthening internal audit activities (IAA) established under
Regulation 28 of the Public Finance Regulation (2004). Chief Audit Executives are
required to develop QAIP manuals for their respective IAA in line with the QAIP Guide.

2.3 Relevant IPPF Guidance

Standard number 1300 on quality assurance and improvement program requires the
Chief Audit Executive to develop and maintain a quality assurance and improvement
program that covers all aspects of the internal audit activity. The QAIP should encompass
all aspects of operating and managing the IAA, including consulting engagements, as
found in the mandatory elements of the IPPF. The mandatory elements of the IPPF are:

a) Core Principles for the Professional Practice of Internal which are foundation for
IPPF.
b) The Definition of Internal Auditing as “an independent, objective assurance and
consulting activity designed to add value and improve an organization’s
operations. It helps an organization accomplish its objectives by bringing a

QAIP Guide Page | 5

systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.”
c) The Code of Ethics which are the Principles and Rules of Conduct of the Code of
Ethics which define ethical behavior for a professional internal auditor.
d) International Standard for the Professional Practice of Internal Auditing
(Standards). The Standards are the central criteria that define the attributes and
characteristics of performance for an internal audit activity, including the
requirements for a QAIP.

The QAIP must include internal assessments, and external assessments. Internal
assessments must include ongoing monitoring of the performance of the internal audit
activity and periodic self-assessments or assessments by other persons within the
organization with sufficient knowledge of internal audit practices. External assessments
must be conducted at least once every five years by a qualified, independent assessor or
assessment team from outside the organization.

To implement standard 1300, the internal audit activity must consider the requirements
related to its five essential components as follows: -

a) Internal assessments (Standard 1311). This consists of ongoing monitoring and

periodic self-assessments which evaluate the internal audit activity’s conformance
with the mandatory elements of the IPPF, the quality and supervision of audit work
performed, the adequacy of internal audit policies and procedures, the value the
internal audit activity adds to the organization, and the establishment and
achievement of key performance indicators.
b) External assessments (Standard 1312). This must be performed by an
independent assessor or assessment team from outside the PSE at least once
every five years. Its main purpose shall be to validate whether the internal audit
activity conforms with the Standards and whether internal auditors apply the Code
of Ethics. It also assesses whether the IAA operates effectively and efficiently.

QAIP Guide Page | 6

c) Communication of QAIP results (Standard 1320). The CAE must communicate
the results of the QAIP to senior management and the Board. The communication
must include the scope and frequency of both internal and external assessments
and other aspects outlined in Chapter 5 of this Guide.
d) Proper use of a conformance statement (Standard 1321). The internal audit
activity may only communicate, in writing or verbally, that the internal audit activity
conforms with the Standards if results of both the QAIP’s internal and external
assessments support such a statement.
e) Disclosure of nonconformance (1322). If an internal or external assessment
concludes that the internal audit activity does not conform with the IPPF’s
mandatory elements, and the lack of conformance impacts the overall scope or
operation of the internal audit activity, the CAE must disclose the nonconformance
and its impact to senior management and the Board.

2.4 Foundation of Quality

The quality of an internal audit activity is the degree to which it meets the customer’s
expectations and the degree to which it is fit for purpose. Delivering quality internal audit
activity requires a systematic and disciplined approach. It is the combination of the right
people the right systems and a commitment to excellence. In order to ensure the QAIP in
place is effective, the leaders responsible for its implementation must set the proper tone
in support of quality and continuous improvement. A well-developed QAIP ensures that
the concept of quality is embedded in the internal audit activity and all of its operations .
Quality should be inculcated in all the aspects of the internal audit activity. This includes
the way the internal audit activity conducts its business, through its internal audit
methodology, policies and procedures, and human resource practices.

The IPPF is the main foundation for developing an internal audit activities QAIP. To
ensure that quality sets the foundation for the QAIP, the internal audit activity at the PSE
must consider all mandatory and recommended guidance elements of the IPPF that
support: -

QAIP Guide Page | 7

a) Conformance with the Standards and the Code of Ethics. It is further understood
that through conformance with the Standards and the Code of Ethics, the internal
audit activity also achieves alignment with other mandatory elements of the IPPF.
b) Stakeholder centricity and satisfaction defined by expected and preferred internal
audit deliverables that produce value for the PSE.
c) Operational effectiveness and efficiency are achieved by ensuring the IAA meets
its objectives in an efficient manner.
d) Monitoring and Measurement since quality cannot be ensured without proper
monitoring and measurement. QAIP involves the collection and analysis of
relevant data to assess the performance of processes and services objectively.
e) Continuous improvement of internal audit activities is accomplished through quality
initiatives identified during the quality assessment process.
f) Management and Board commitment to provide resources and tools necessary for
a QAIP to succeed. Participation is expected by all members of the internal audit
activity.
g) Collaboration and communication given the fact that quality is not a responsibility
of a single function but a collective effort. QAIP promotes collaboration and
effective communication across different teams and functions.
h) Leadership and commitment mainly because strong leadership and commitment
to quality principles are necessary to create a quality-focused culture within the
organization.
i) Comprehensive coverage of all aspects of the internal audit activity at functional,
engagement and external perspective levels including those outlined in Figure 1.

QAIP Guide Page | 8

Engagement Level (Assessment at audit, engagement or operational
level)
•Appropriate processes have been used to translate audit plans into specific,
appropriately resourced audit engagements.
•Planning, fieldwork conduct, and reporting/communicating results conform to the
Definition of Internal Auditing, the Code of Ethics, and the Standards.
•Appropriate mechanisms are established and used to follow-up management actions
in response to audit recommendations.
•Post-engagement client surveys, lessons learned, self-assessments, and other
mechanisms to support continuous improvement are completed.

Activity Level (Assessment at internal audit activity/organisational level)

•Written policies and procedures, covering both technical and administrative matters,
are formally documented to guide audit staff in consistent conformance with IPPF.
•Audit work conforms to written policies and procedures.
•Audit work achieves the general purposes and responsibilities described in the internal
audit charter.
•Audit work conforms to the Definition of Internal Auditing, the Code of Ethics, and the
Standards.
•Internal audit work meets stakeholder expectation.
•The internal audit activity adds value and improves the organization’s operations.
•Resources for the internal audit activity are efficiently and effectively utilized.
External Perspective (Independent external assessment of the entire
internal audit activity including individual engagements)
•The CAE must ensure that the internal audit activity undergoes an external
assessment as per IPPF.
•External assessors express an opinion on the entire spectrum of assurance and
consulting work performed by the internal audit activity.

Figure 1: Coverage of various aspects of the Internal Audit Activity

By placing quality at the core of their operations, PSEs can build a robust QAIP that drives
success and growth.

QAIP Guide Page | 9

2.5 The QAIP Framework

. Common elements of all QAIPs include: -

a) A scope that includes all aspects of the internal audit activity.

b) An evaluation of conformance with the Standards and the Code of Ethics.
c) An appraisal of the efficiency and effectiveness of the internal audit activity.
d) The identification of opportunities for continuous improvement.
e) Board involvement in the oversight of the QAIP.

Figure 2: Illustrative Quality Assurance and Improvement Framework: Source, IPPF

QAIP Practice Guide

QAIP Guide Page | 10

The Illustrative Quality Assurance and Improvement Framework outlined in Figure 2
focuses on three aspects within the internal audit activity i.e., Governance, Professional
Practice and Communication as outlined in the subsequent sections.

2.5.1 Governance

The main aspects, to be assessed in the Governance area by the PSEs include:

a) Internal Audit Charter

i. Internal audit’s purpose, authority, and responsibility are formally defined in
a charter, consistent with the Definition of Internal Auditing, Code of Ethics,
and the Standards.
ii. The internal audit strategy is aligned with the organizational strategy.
iii. The internal audit activity’s charter provides assurance that the internal audit
activity adds value and improve the organization’s operations.
iv. The internal audit activity’s charter, mission statement, goals, and similar
documents are implemented in an effective manner.
v. The internal audit charter is reviewed regularly to take into account changes
that affect the IAA.
b) International Professional Practices Framework: The internal audit activity is in
conformance with the Definition of Internal Auditing, Code of Ethics, and the
Standards.
c) Legislation: The internal audit activity is in compliance with other applicable laws,
regulations, or policies. Such legislation include the Public Finance Act, the Public
Finance Regulation (2004), Public Procurement Act, 2011 and its regulations
among others.
d) Independence and Objectivity:
i. The internal audit activity’s structure, objectivity, roles and responsibilities,
and key governance processes are appropriate for managing the function.
ii. The internal audit activity is independent and objective in the performance
of its work.
iii. The organizational status of the internal audit activity is sufficient to permit
accomplishment of the objectives.

QAIP Guide Page | 11

iv. Broader organizational governance arrangements provide assurance
regarding auditor independence and objectivity. Pertinent issues include
independence in the recruitment, promotion and performance appraisal of
the CAE.
e) Risk Impacting the Internal Audit Activity: Risks impacting the internal audit activity
have been identified and managed.
f) Resourcing: The appropriate level of financial and IT resources are available to the
internal audit activity to enable it to achieve its objectives in an efficient and
effective manner.

2.5.2 Professional Practice

The main aspects, to be assessed in the professional area by the PSEs include:

a) Roles and Responsibilities:

i. Roles, responsibilities and competencies required of staff within the internal
audit activity are formally documented.
ii. The internal audit activity has fulfilled its responsibilities in regard to
governance, risk management, and control.

b) Risk-based Audit Planning:

i. The audit planning process is aligned with the PSE’s strategic objectives.
ii. The perspectives of senior management and the Board are considered in
audit planning.
iii. The process of audit planning ensures that all activities of the organization
are considered for audit, subjected to a risk assessment, ranked in order of
priority, and that appropriate audit objectives for each audit selected have
been established.
iv. An effective annual planning process exists including appropriate
processes for the reporting of progress toward achieving the established
plan.

QAIP Guide Page | 12

c) Coordination with Other Assurance Providers: Internal audit activities are
coordinated with those of other assurance providers to ensure duplication is
minimized.
d) Audit Engagement Planning:
i. Risks relevant to the activity under review are assessed. The engagement
objectives reflect the results of the assessment.
ii. Appropriate resources are allocated for audit work to identify significant
issues.
iii. Work programs to achieve the engagement objectives are developed.
e) Performing the Engagement:
i. Engagement processes, including identifying information, analysis, and
evaluation, ensure that the steps in the audit program developed at the end
of the planning phase are completed in an effective and efficient manner.
ii. Audit techniques, including the use of internal audit automation and
computer assisted auditing techniques, are used as appropriate to provide
assurance that work is performed efficiently and effectively.
iii. The evidence gathered substantiates the audit findings and establishes the
cause and effect of issues identified as needing improvement.
iv. Information acquired when the audit is conducted is described and retained
in working papers to clearly document the audit process and identify
findings to support audit results.
v. Audit records are appropriately maintained.
vi. Audits are appropriately supervised for professional development and to
provide assurance that due professional care is applied.
f) Proficiency and Due Professional Care:
i. The internal audit activity collectively possesses or sources (for example
from other PSE) the knowledge, skills, and other competencies to perform
its responsibilities.
ii. Internal auditors display due professional care in the performance of their
responsibilities.

QAIP Guide Page | 13

iii. Continuing professional development is provided to allow internal auditors
to enhance their knowledge, skills, and other competencies.
iv. Internal auditors’ competencies are regularly assessed against a
competence model, such as IIA internal auditor’s competency framework.
v. Management and leadership development is embedded within the internal
audit activity.
g) Quality Assurance:
i. A QAIP is in place that covers all aspects of the internal audit activity and
the QAIP effectiveness is continuously monitored.
ii. Internal audit has processes in place to track and record progress toward
established objectives, plans, and budgeted resources.

2.5.3 Communication

The main aspects, to be assessed in the communication area by the PSEs include:

a) Audit Engagement Reports:

i. The final report presents the purpose, scope, and significant findings,
including the causes and effects, conclusions, recommendations, and the
engagement client’s action plans to address the issues outlined.
ii. An effective process is in place to ensure that the audit results are
presented to the appropriate level of management in time for discussion and
response.
iii. The engagement observations as documented in the report should capture
key aspects such as compliance, consistency, credibility, confidentiality and
communication of the processes in scope.
iv. Reports are provided to and/or are reviewed by senior management and
the Board.
v. The form and content of audit communications meet stakeholder
expectations.
vi. The phrase “conducted in accordance with the Standards” is utilized only
under appropriate circumstances.

QAIP Guide Page | 14

b) Follow-up Phase: An appropriate follow-up process to ensure that management
actions have been effectively implemented has been established and is being
maintained.
c) Stakeholder Communications:
i. The internal audit activity’s communication practices inform the Board and
appropriate stakeholders of work undertaken.
ii. A performance management and measurement process is in place to
ensure that the effectiveness of the internal audit activity is optimized and
recognized.
iii. Engagement client satisfaction with the audit process is measured by the
internal audit activity, including the level of professionalism demonstrated
by the internal auditors and opportunities for improvement.
iv. The extent of satisfaction of other stakeholders with the internal audit
process and products is measured (this may include a self-assessment
questionnaire and a satisfaction survey for engagement clients).
v. The role and services offered by internal audit are understood by
stakeholders and considered to be value-adding.

2.6. Roles and Responsibilities of Key Stakeholders in the Implementation of

QAIP

2.6.1 The Internal Auditor General Division

The IAGD has the overall responsibility of the adoption, development and oversight over
the implementation of the relevant international standards for the professional practice of
internal auditing in the United Republic of Tanzania. These includes standards and
guidance relating to QAIP.

The roles of the IAGD shall include but will not be limited to: -

a) Coordinating QAIP across the PSEs.

b) Guiding development and updating of QAIP Guide for use and adoption by the
PSEs.

QAIP Guide Page | 15

c) Guiding the PSEs to implement various aspects of the QAIP including internal and
external assessment.
d) Training PSEs on implementation of QAIP within the country.
e) Providing technical support to the PSEs when conducting both internal and
external assessments.
f) Monitoring the overall implementation of QAIP in the country.

2.6.2 Audit Committees in Public Sector Entities

The roles of the Audit Committee in PSEs includes the following: -

a) Provide oversight over the QAIP in the PSE. This will include deciding on the form
and frequency of external assessments and oversight over the qualification and
independence of external assessor including potential conflict of interest as per
Standard 1312.
b) Provide support to the CAE and the internal audit activity in the implementation of
QAIP.
c) Keep the Board updated on the performance of the internal activity including
implementation of QAIP.

2.6.3 Chief Audit Executives in Public Sector Entities

The roles of the Chief Audit Executives in PSEs includes the following: -

a) Developing and maintaining the quality assurance and improvement program for
the PSE.
b) Encouraging Board oversight in the quality assurance and improvement program
by ensuring that all QAIP plans and reports are presented to the Board through the
relevant committee for consideration.
c) Meeting with the Audit Committees to gain an understanding of the expectations
for the internal audit activity, to discuss the importance of the Standards and the
QAIP and encourage the Board’s support.

QAIP Guide Page | 16

d) Benchmarking with QAIP practices in similar organizations.
e) Bearing the primary responsibility for the periodic evaluation and updates to the
QAIP as may be required.
f) Through on-going monitoring determining whether internal audit processes are
delivering quality on an engagement-by-engagement basis.
g) Ensuring that the internal audit activity in the PSE conducts an external
assessment at least once every five years.

2.6.4 Senior Management in Public Sector Entities

The roles of the Senior Management in PSEs includes the following: -

a) Participating in QAIP implementation through interviews, surveys and providing

feedback to the internal audit activity in the PSEs.
b) Providing their input on reports on the QAIP from the internal audit activities in
PSEs.
c) Providing financial and other support required by the internal audit activity to
implement QAIP in PSEs.

QAIP Guide Page | 17

Chapter 3: Internal Quality Assessment

3.1 Overview

Various aspects of internal quality assessments as provided under standard 1311 are
outlined in this chapter. Internal quality assessments are conducted to provide an
effective structure for the internal audit activity to continuously assess its conformance
with the Standards and whether internal auditors apply the Code of Ethics. Additionally,
they may allow for identification of improvement opportunities. The chapter is made up of
two main parts, one part elaborates the various elements of ongoing monitoring while the
second part discuss periodic self-assessment. The step-by-step approach for use in
conducting periodic self- assessment is detailed out in this chapter.

3.2 Ongoing Monitoring

3.2.1 Introduction

Ongoing monitoring is a fundamental part of the day-to-day supervision, review and

measurement of the internal audit activity. Ongoing monitoring is incorporated in the
internal audit policies and manuals and is achieved through continuous activities such as
engagement planning and supervision, standardized working practices and templates,
workpaper procedures and signoffs, engagement working papers and reports reviews, as
well as identification of any weaknesses or areas in need of improvement. Ongoing
monitoring helps the CAE to determine whether internal audit processes are delivering
quality on an engagement-by-engagement basis. In addition, ongoing monitoring may
identify opportunities to improve the internal audit activity effectiveness and efficiency.

3.2.2 Conducting Ongoing Monitoring

The processes and procedures that support ongoing monitoring are the basic foundation
of the internal audit activity and should be documented in the Internal Audit Manual of the
PSE. These processes and procedures include: -

QAIP Guide Page | 18

i) Standardized templates and checklists;
ii) Selection of the internal audit team based on the unique skills requirements;
iii) Appointment of a team leader responsible for conducting detailed review of the
engagement working papers and on-the-job coaching of the team members;
iv) Setting up specific engagement key performance indicators such as time and cost
budgets;
v) Clear and concise internal audit methodology from engagement planning to
engagement monitoring;
vi) Conducting post-audit auditee surveys to obtain feedback on the quality of the
audit process;
vii) Standardized engagement, quarterly and annual reports; and
viii) Supervisory reviews and approvals of all engagement working papers to promote
consistency, quality and sustainability of internal audit processes and procedures.

The CAE is responsible for establishing and maintaining a robust ongoing monitoring at
the PSE. Towards this, the CAE is responsible for conducting the ongoing monitoring or
appointing an experienced senior auditor from the PSE’s internal audit activity to
undertake the review. The checklist below should be adopted by the CAEs while
conducting ongoing monitoring of the internal audit activity in consultation with the IAGD
especially for small audit activities. Detailed questions for undertaking ongoing monitoring
are outlined in Appendix 2.6 Ongoing Monitoring Review Questions.

3.2.3 Tracking and Reporting of Ongoing Monitoring

The CAE should establish and maintain a tracker for key gaps/weaknesses identified in
the ongoing monitoring with a clear action plan. The IAGD Internal Audit Guide (ver. 2023)
has provided an example of a tracking tool that the CAE can adopt. Results of ongoing
monitoring should be reported to the Senior Management and Audit Committee at least
annually, as required by Standard 1320 – Reporting of the Quality Assurance and
Improvement Program.

QAIP Guide Page | 19

3.3 Periodic Self-Assessments

3.3.1 Introduction
Periodic assessments provide a more wholistic, comprehensive review of the Standards
and the internal audit activity. Periodic self-assessments are conducted to validate that
ongoing monitoring is operating effectively and to assess whether the internal audit
activity is in conformance with the Standards and whether internal auditors apply the
Code of Ethics. Additionally, periodic assessments may allow for identification of
improvement opportunities within the internal audit activities.

3.3.2 Planning
Key activities in planning for a periodic self-assessment shall include:

▪ Setting objectives and scope

▪ Selecting and preparing the assessment team
▪ Requesting planning documents
▪ Making arrangement for the preliminary visit
▪ Distribution of surveys

3.3.2.1 Setting objectives and scope

Periodic self-assessments shall be conducted for each PSE’s internal audit activity to: -
a) Validate that ongoing monitoring is operating effectively.
b) To assess whether the internal audit activity is in conformance with the Standards
and whether internal auditors apply the Code of Ethics. It is through conformance
with the Standards and Code of Ethics, that the internal audit activity achieves
alignment with the Definition of Internal Auditing and the Core Principles for the
Professional Practice of Internal Auditing.
c) To assess the conformance with internal audit charter and regulatory
requirements.
d) To assess the efficiency and effectiveness of the PSE’s internal audit activity in
meeting the needs of various stakeholders.

The main focus shall be to evaluate: -

QAIP Guide Page | 20

▪ The quality and supervision of work performed;
▪ The adequacy and appropriateness of internal audit policies and
procedures;
▪ The ways in which the internal audit activity adds value by going beyond
these basic functions to provide insights, recommendations, and strategic
contributions that benefit the PSE. Specific value addition activities may
involve consulting engagements in risk management, process
improvement, strategic advisory, fraud prevention, compliance & ethics,
knowledge sharing, training, and development as well as stakeholder
communication;
▪ The achievement of key performance indicators; and
▪ The degree to which stakeholder expectations are met.

3.3.2.2 Selecting and preparing the assessment team

Periodic self-assessments within the PSE’s shall be conducted by senior members of the
internal audit activity under guidance of the CAE or a dedicated quality assurance team
or individuals within the internal audit activity who have extensive experience with the
International Professional Practices Framework. The quality assurance team of the IAGD
shall provide the requisite support including provision of personnel to the internal audit
activities of the PSEs during the implementation of periodic self-assessments.

In all situations, the assessor or assessment team shall be independent from the areas
they review by ensuring that they do not assess engagements for which they were
primarily responsible. In addition, the assessor or the assessment team shall be
competent in the practice of internal auditing.

QAIP Guide Page | 21

3.3.2.3 Requesting Planning documents

In order to ensure the efficiency of the periodic self-assessment process the planning
documentation shall be completed before the on-site visit by the assessment team. The
team leader shall request advance information as provided under Template 2.1.1
Background Information and Document Request List.

The invitation to complete surveys together with the accompanying survey tools shall also
be set to senior management and internal audit staff as outlined in Template 2.2.1 Senior
Management Survey Tool and Template 2.2.2 Internal Audit Survey Tool. Surveys
shall not be sent to external auditors and Audit Committee members, however these key
stakeholders shall be interviewed.

3.3.2.4 Kick-off meeting

The assessment team leader shall arrange for a kickoff meeting. The meeting shall be
meant to: -

a) Meet the CAE and other staff that may be assisting the team during the on-site
visit.
b) Provide any clarifications that may be required regarding the planning
documentation as outlined in Template 2.1.1 Background Information and
Document Request List.
c) Ensure that all documents requested per the checklist can be provided.
d) Build consensus regarding the time, venue, scope, and objectives of the periodic
self-assessment.
e) Identify the members of senior management, internal audit activity staff, and other
key stakeholders with whom meetings will be arranged and completed as outlined
in Template 2.1.7 Interview Schedule Tool.
f) Agree on the list of participants for the surveys from senior management and
internal audit staff.

QAIP Guide Page | 22

3.3.2.5 Distribution of Surveys

Following the kickoff meeting, the assessment shall distribute surveys to senior
management and internal audit staff based on the participant list agreed on during the
kickoff meeting with the CAE. Please refer to Template 2.2.1 Senior Management
Survey Tool and Template 2.2.2 Internal Audit Survey Tool.

3.3.3 Off-site work

Offsite works shall include planning and review of other documents provided by the PSE
as well as summarizing survey results.

3.3.3.1 Reviewing planning documents

The assessment team should review the planning documents and all planning guides and
documents required for the assessment. This will ensure that the team is well prepared
for the fieldwork. The documentation to be reviewed in this case includes Template 2.1.2
Internal Audit Governance Assessment Tool, Template 2.1.3 Internal Audit Staff
Assessment Tool, Template 2.1.4 Internal Audit Management Assessment Tool and
Template 2.1.5 Internal Audit Process Assessment Tool.

3.3.3.2 Reviewing all other documents received per document request list

The assessment shall proceed to review all other documents which will have been
provided during the planning stage of the assessment. This include the background about
the PSE, details of the internal audit staff, background of the internal audit activity at the
PSE among other specific information that will be included in the information and
document request list.

QAIP Guide Page | 23

3.3.3.3 Summarising survey responses

The CAE should complete the two surveys, as a member of the senior management team
and as a member of the internal audit staff. The assessment team should compare the
results of the CAE’s surveys with that from the rest of the internal audit staff and senior
management. This will enable the assessment team to identify early opportunities for
improvement from the assessment as well as areas of strength for the internal audit
activity.

The assessment team should also analyse and summarize the feedback from the survey
to the CAE. Overall ratings and trends from the surveys should be drawn as well. The
assessment team should take note of areas of significant divergence between CAE’s
responses and those of survey participants for further investigation during interviews. The
assessment team should also update the interview guides accordingly. See Templates
2.3.1, 2.3.2, 2.3.3 and 2.3.4.

3.3.4 Field Work

3.3.4.1 Interviewing clients, IA staff, and stakeholders

At the beginning of the fieldwork, the assessment team shall plan and conduct interviews
with key stakeholders. This will include Audit Committee members, senior management
team, internal audit staff, external auditors and other assurance providers. The
assessment team shall use updated interview guides as outlined in Templates 2.3.1,
2.3.2, 2.3.3 and 2.3.4. Interviews may also continue throughout the fieldwork to
accommodate the busy schedules of target interviewees.

The focus for the interviews should include PSEs organizational risks and objectives as
well as the internal audit activity’s effectiveness for staying current and adding value. The
interviews should be conducted as a follow up to the results of the surveys which should
already have been administered and analyzed. This allows for in-depth exploration of

QAIP Guide Page | 24

issues raised by the survey results. In addition, the perceptions from the interviews should
be investigated further and collaborated where appropriate.

3.3.4.2 Reviewing of working papers and other documents

The assessment team shall review the internal audit activity’s assurance and consulting
engagements, reports, and supporting documentation and its administrative and
operating policies, practices, procedures, and records. The assessment team shall
sample engagements from the approved work plans and conduct end-to-end reviews
where appropriate. Assessment teams drawn from the engagement activity should
not review engagements which they have been involved in executing.

The team should also determine if the CAE is responsible for other areas beyond internal
auditing; and if so, the mechanisms in place to actively manage the actual or perceived
impairments to independence or objectivity this might cause.

While undertaking the fieldwork, the assessment team shall review all other documents
which may be available onsite. This will be based on the information provided as per the
information request list. This will include review of physical engagement documentation,
staff details and other information.

3.3.4.3 Determining staffing knowledge

The assessment team should also determine the adequacy of staffing knowledge and
skills, especially in IT, sector/industry expertise, risk assessment and controls monitoring.
Through interaction with governance participants, review of successful practices, and
other areas, the assessment team shall pinpoint areas of continuous improvement in
staffing knowledge. As a follow-up to the interviews and surveys done with the internal
audit staff, the assessment team, where necessary may review various staff records to
confirm/interrogate the staff’s knowledge and competencies. Key areas that will be
reviewed include but not limited to: -

a) Competency assessments of the internal audit activity.

QAIP Guide Page | 25

b) Internal audit organization structure and establishment.
c) Records of a recruitment and training strategy, continuous development plans, job
descriptions, and updated staff profiles for the internal audit staff.
d) Rewards and remuneration records.
e) Internal audit career progression guidelines.
f) Performance management records.
g) Internal audit policies and procedures and workpaper templates.
h) Evidence that internal audit policies and procedures were communicated and
signed acknowledgement that the internal audit staff understand them.
i) Evidence supporting annual declaration related to The IIA’s Code of Ethics and the
organization’s code of conduct.
j) The internal audit plan and engagement plans, which demonstrate the sufficient
and appropriate allocation of internal audit staff.

3.3.4.4 Conducting team discussions

The assessment team should hold regular discussions and consultations during the
assessment to collaborate their findings as they emerge. This is especially important
since an ideal assessment team should be a multidisciplinary team which collectively
should add value to the internal audit activity.

More specifically the assessment team’s discussions should entail: -

a) Review of reports and communication with management and the Board (Audit
Committee) to assess the extent that the internal audit activity meets objectives
and adds value.
b) Review and assess the coordination of the internal audit activity with the work of
the independent auditors and other assurance providers.
c) Evaluate the internal audit activity’s conformance with the Standards and Code of
Ethics and other relevant policies and procedures.

QAIP Guide Page | 26

d) Review the quality/process improvement actions currently underway and planned
for the near term. Also consider successful practices appropriate to the PSE’s
environment.

3.3.5 Evaluate and Report

3.3.5.1 Evaluating against IPPF for conformance and areas for improvement

The evaluation is a culmination of the assessment team’s analysis of surveys, interviews

and documentation. It should be conducted using assessment tools provided in
Templates 2.4.1, 2.4.2, 2.4.3 and 2.4.4. This is the most important aspect of the
assessment which requires evaluation of the internal audit activity with the Standards and
the Code of Ethics, its adherence to its charter, the extent of its adoption of successful
practices, and its program of continuous improvement. It is expected that these
evaluations will also identify additional opportunities for continuous improvement.

The assessment team is expected to provide recommendations for the internal audit
activity to enhance conformance with the Standards and the Code of Ethics, add value
for clients, and be a catalyst for positive change in the organization. The assessment
team should exercise its professional judgement to issue an opinion as to the level of
conformance with the standards and the Code of Ethics by the internal audit activity. The
experience and skills of the assessment team while providing recommendations and
issuing of the opinion are very essential. The Team Leader should carefully review these
aspects of the assessment before finalization.

3.3.5.2 Summarising issues and recommendations

The assessment team should use Templates 2.5.1 and 2.5.2 to prepare evaluation
summaries for the assessment. The appendices document the basis for reporting
assessment results. The appendices summarises the collective view of the assessor or
assessment team related to conformance with the Standards and the Code of Ethics. The

QAIP Guide Page | 27

appendices also provide a documentation of the results of all work performed and
documented in previous appendices.

Any emerging issues should be brought to the attention of the CAE as and when they
arise.

3.3.5.3 Exit meeting

The exit meeting is mainly aimed at summarizing and formalizing the views of the
assessment team and the CAE. The assessment team should ensure that individual
observations are discussed with internal audit management as they arise such that there
are no surprises during the exit meeting.

A written guide for the exit meeting in the form of a written summary of successful
practices, observations and recommendations for those attending the exit meeting should
be prepared.

The assessment team leader and the CAE should agree on the participants for the exit
meeting. This should include but should not be limited to the CAE, senior staff from the
internal audit activity and the assessment team. Selected members of senior
management team may also be invited to attend the exit meeting.

The exit meeting should be conducted in an orderly manner and the discussions should
comprise of the significant issues from the assessment, conclusions and
recommendations. The assessment team should give the CAE an opportunity to
comment on the observations and recommendations from the assessment. A written
record of the exit meeting should be documented and signed off.

3.3.5.4 Issuance of draft report for comments

The assessment team should draft the assessment report using the guidance provided in
Template 2.6.1. When preparing the draft assessment report, the assessment report
should consider the CAEs comments on the observations and recommendations which
shall have been provided during the exit meeting.

QAIP Guide Page | 28

The draft assessment report should be submitted to the CAE for comments within 14
days. The CAE shall also be requested and required to provide proposed action plans
and timelines for implementation of recommendations from the assessment.

3.4.5.5 Issuance of final report to the Chief Audit Executive

Once the CAE provides comments, action plans and timelines for implementation of
recommendations from the assessment, the assessment team shall consider such
comments and incorporate them in the draft. Where necessary the assessment team shall
have engagements with the CAE before finalizing the assessment report. The
assessment team will issue the final report to the CAE who will be expected to distribute
copies to the IAGD, the Board (through the Audit Committee) and the executives to whom
the CAE reports to. Copies of the assessment report should also be addressed to other
individuals or groups who will have initiated the assessment.

The CAE shall ensure compliance with standard 1320 which requires that the periodic
assessment results, including the conclusions on conformance, must be communicated
to the senior management and the Board.

QAIP Guide Page | 29

Chapter 4: Full External Assessment

4.1 Overview

This chapter outlines key activities, which are involved in conducting a successful full
external assessment. This includes frequency of external assessments, planning, off-site
work, fieldwork as well as evaluating and reporting activities.

4.2 Frequency of External Assessment

The CAE shall hold discussions with senior management and the Audit Committee
regarding the type and frequency of the external assessment that will be conducted. Such
discussions will enable the CAE to educate stakeholders and gain an understanding of,
and an appreciation for, the PSEs expectation of the objectives and scope of the
assessment. While the standards require the external assessment to be undertaken at
least once every five years, discussions with senior management and the Audit
Committee may indicate to the CAE that it is more appropriate to conduct the external
assessment more frequently. Factors which may necessitate the PSE to consider a more
frequent external assessment include: -

a) Changes in senior management and or the CAE.

b) Changes in the organization of the internal audit activity within the PSE.
c) Significant changes in the internal audit policies and procedures.
d) Significant staff turnover.
e) Industry specific or environmental issues which may warrant more frequent review.

4.3 Planning

Key activities in planning for a full external assessment are:

a) Setting scope and objectives.

b) Selecting and preparing the assessment team.
c) Requesting planning documents.
d) Making arrangements for the preliminary visit.

QAIP Guide Page | 30

e) Distribution of surveys.

4.3.1 Setting objectives and scope

The minimum objectives to be achieved from a full external assessment for PSEs include
the following: -

a) Provide an opinion on the internal audit activity’s conformance with the Standards
and the Code of Ethics.
b) Assess the efficiency and effectiveness of the internal audit activity in light of its
charter; its processes and infrastructure, including the quality assurance and
improvement program .
c) Assess the mix of knowledge, experience, and expertise of internal audit team;
and the expectations of the Board (as represented by the Audit Committee), senior
management, other stakeholders and assurance providers, and the CAE.
d) Consider the internal audit activity’s current needs and objectives, as well as the
future direction and goals of the PSE. Appraise the risk to the organization if the
results indicate that the internal audit activity is performing at a less than effective
level or is not in conformance with one or more of the Standards.
e) Identify opportunities and offer ideas to the CAE and staff for improving the
effectiveness of the internal audit activity, thereby raising the value added to
management and the Audit Committee.

The minimum scope for full external assessment for PSEs includes the following: -

a) The internal audit activity charter that documents the purpose, authority, and
responsibility of the internal audit activity and is approved by the Board.
b) The extent to which the internal audit activity meets the expectations of the IAGD,
the Board, senior management, other stakeholders and adds value to the PSE.
c) The PSE’s control environment and the CAE’s audit practice environment.
d) The focus on evaluating governance processes, enterprise risk, and assessing
organizational controls in audit plans.

QAIP Guide Page | 31

e) The integration of internal audit into the PSE’s governance process, including the
combined assurance relationships and communications between the key
governance groups and assurance providers involved in that process and the
aligning of audit objectives and plans with the objectives of the PSE as a whole.
f) The level of conformance with mandatory elements of the IPPF and any other
legal, regulatory and policy requirements laid down for the PSE. This will include
but not be limited to the Internal Audit Guide for Public Sector Entities in Tanzania.
g) The efficiency and effectiveness of the internal audit activity. This may be
measured through an assessment of the internal audit activity’s processes and
infrastructure, including the QAIP, and an evaluation of the internal audit staff’s
knowledge, experience, and expertise.
h) The scope may also involve a maturity assessment in line with the Internal Audit
Capability Model.

4.3.2 Selecting and preparing the assessment team

Standard 1312 – External Assessments specifies that the full external assessment must
be conducted by a qualified, independent assessor or assessment team from outside the
PSE. Qualified assessors are persons with the technical proficiency, internal audit
experience, business experience, and educational background appropriate for the audit
activities to be assessed. This could include internal auditors from outside the PSE
independent consultants, or independent auditors, but preferably not the external audit
firm that audits the organization’s financial statements, or consultants providing any co-
sourcing for the PSE. “From outside the PSE” means not a part of, or under the control
of, the PSE.

A qualified assessor or assessment team demonstrates competence in two areas: the

professional practice of internal auditing and the external assessment process.
Competence can be demonstrated through a mixture of experience and theoretical
learning. Experience gained in organizations of similar size, complexity, sector or
industry, and technical issues is more valuable than less relevant experience. In the case

QAIP Guide Page | 32

of an assessment team, not all members of the team need to have all the competencies;
it is the team as a whole that is qualified. The team leader should have experience that is
comparable to that of the CAE of the internal audit activity being assessed. The chief
audit executive uses professional judgment when assessing whether an assessor or
assessment team demonstrates sufficient competence to be qualified.

Possible qualifications that the CAEs can use to assess the competence of a full external
assessment team include the following: -

a) Key competences:
i. Professional Practice of Internal Auditing or any other related discipline;
ii. External Quality Assessment process;
iii. Certification as an Audit Professional (e.g.; CIA, CRMA, CQA).

b) Additional competences:
i. Knowledge of leading internal auditing practices;
ii. Sufficient recent experience in the practice of internal auditing at a
management level, which demonstrates a working knowledge and
application of the IPPF; Experience gained from previous external
assessment;
iii. Completion of the IIA’s quality assessment training course or similar
training;
iv. Experience as CAE or comparable senior internal audit management; and
v. Technical expertise and industry experience.
c) Objectivity
i. The full external assessment team should objectively consider the
expectations of the Audit Committee, senior management, and the CAE;
the audit structure; and the policies and procedures of the PSE and the
internal audit activity.
ii. To ensure freedom from bias in the full external assessment, there should
not be any relationship, either directly or indirectly, between the PSE and
the full external assessment team that is, or appears to be, a conflict of

QAIP Guide Page | 33

interest. Such relationships could significantly negate the benefits of the full
external assessment.
iii. Reciprocal peer assessments between two PSE will not be considered
independent.
iv. Where reciprocal assessments are undertaken among three or more
entities care must be exercised to ensure that independence and objectivity
are not impaired, and all team members are able to exercise their
responsibilities fully.

When procuring the services of the external assessment team, the PSEs shall comply
with relevant laws, regulations, guidelines, and policies for conducting public
procurement. More specifically, the PSE shall fully comply with the Public Procurement
Act, 2011 and its regulations. Prior to initiation of the procurement processes, the CAE
should discuss with the Board/Audit Committee and Accounting Officer on issues
concerning with how procurement for assessment services will be carried out and
allocation of funds to respective activities. Moreover, CAE will consult IAGD on the best
option to carry out the valid external assessment.

4.3.3 Requesting planning documents

In order to ensure the efficiency of the full external assessment process the planning
documentation shall be completed by the internal audit activity before the on-site visit by
the assessment team. The team leader shall request information in advance as provided
under Template 2.1.1 Background Information and Document Request List.

4.3.4 Kick off meeting

The full external assessment team leader shall arrange for a kickoff meeting which shall
be held either physically or online (virtually). The meeting shall be meant to: -

QAIP Guide Page | 34

a) Meet the CAE and other staff that may be assisting the team during the on-site
visit.
b) Provide any clarifications that may be required regarding the planning
documentation as outlined in Template 2.1.1 Background Information and
Document Request List.
c) Ensure that all documents requested per the checklist can be provided.
d) Build consensus regarding the time, venue, scope, and objectives of the full
external assessment.
e) Identify the members of senior management, internal audit activity staff, and other
key stakeholders with whom meetings will be arranged and completed Template
2.1.7 Interview Schedule Tool.
f) Agree on the list of participants for the surveys from senior management and
internal audit staff.

The assessment team shall ensure a written record of the minutes from the kickoff
meeting is kept as well.

4.3.5 Distribution of Surveys

Following the kickoff meeting, the assessment team leader should distribute surveys to
senior management and internal audit staff based on the participant list agreed on
during the kickoff meeting with the CAE. Please refer to Template 2.2.1 Senior
Management Survey Tool and Template 2.2.2 Internal Audit Survey Tool.

4.4 Off-site work

4.4.1 Reviewing planning documents

QAIP Guide Page | 35

The assessment team should review the planning documents and all planning guides and
documents required for the full external assessment. This will ensure that the team is well
prepared for the fieldwork. The documentation to be reviewed in this case include
Template 2.1.2 Internal Audit Governance Assessment Tool, Template 2.1.3 Internal
Audit Staff Assessment Tool, Template 2.1.4 Internal Audit Management
Assessment Tool and Template 2.1.5 Internal Audit Process Assessment Tool.

4.4.2 Reviewing all other documents received per document request list

The assessment team should proceed to review all other documents which have been
provided by the CAE during the planning stage of the assessment. This include the
background about the PSE, details of the CAE and internal audit staff, background of the
internal audit activity at the PSE among other specific information that will be included in
the information and document request list.

4.4.3 Summarising survey responses

Overall ratings and trends from the surveys should be drawn as well. The assessment
team should take note of areas of significant divergence between CAE’s responses and
those of survey participants for further investigation during interviews. The assessment
team should also update the interview guides accordingly. See Templates 2.3.1, 2.3.2,
2.3.3 and 2.3.4.

4.5 Field Work

4.5.1 Interviewing clients, IA staff, and stakeholders

QAIP Guide Page | 36

At the beginning of the fieldwork, the assessment team shall plan and conduct interviews
with key stakeholder. This will include, the Board Audit Committee members, senior
management team, internal audit staff, external auditors and other assurance providers.
The assessment team will use updated interview guides as outlined in Templates 2.3.1,
2.3.2, 2.3.3 and 2.3.4. Interviews may also continue throughout the fieldwork to
accommodate the busy schedules of target interviewees.

4.5.2 Reviewing of working papers

4.5.3 Reviewing all other documents only available on-site

While undertaking the fieldwork, the assessment team will review all other documents
which may be available onsite. This will be based on the information provided by the client
as per the information request list. This will include review of physical engagement
documentation, staff details and other information.

QAIP Guide Page | 37

4.5.4 Determining staffing knowledge

The assessment team should also determine if the staffing knowledge and skills,
especially in IT, sector/industry expertise, risk assessment, controls monitoring,
interaction with governance participants, successful practices, and other areas, will
pinpoint evidence of continuous improvement. As a follow-up to the interviews and
surveys done with the internal audit staff, the assessment team, where necessary may
review various staff records to confirm/interrogate the staff’s knowledge and
competencies. Key areas that will be reviewed include but not limited to: -

a) Competency assessments of the internal audit activity.

4.5.5 Conducting team discussions

QAIP Guide Page | 38

More specifically the assessment team’s discussions should entail: -

a) Review of reports and communication with management and the Board (Audit
Committee) to assess the extent that the internal audit activity meets objectives
and adds value.
b) Review and assessment of the coordination of the internal audit activity with the
work of the independent auditors and other assurance providers.
c) Evaluation of the internal audit activity’s conformance with the Standards and
Code of Ethics and other relevant policies and procedures.
d) Review of the quality/process improvement actions currently underway and
planned for the near term. Also consider successful practices appropriate to the
PSE’s environment.

4.6 Evaluate and Report

4.6.1 Evaluating against IPPF for conformance and areas for improvement

The evaluation is a culmination of the assessment team’s analysis of surveys, interviews

and documentation. It should be conducted using assessment tools provided in
Templates 2.4.1, 2.4.2, 2.4.3 and 2.4.4. This is the most important aspect of the
assessment which requires evaluation of the internal audit activity conformance with the
Standards and the Code of Ethics, its adherence to its charter, the extent of its adoption
of successful practices, and its program of continuous improvement. It is expected that
these evaluations will also identify additional opportunities for continuous improvement.

The full external assessment team is expected to provide recommendations for the
internal audit activity to enhance conformance with the Standards and the Code of Ethics,
add value for clients, and be a catalyst for positive change in the organization. The
assessment team should exercise its professional judgement to issue an opinion as to
the level of conformance with the standards and the Code of Ethics by the internal audit
activity. The experience and skills of the assessment team while providing

QAIP Guide Page | 39

recommendations and issuing of the opinion are very essential. The Team Leader should
carefully review these aspects of the assessment before finalization.

4.6.2 Summarising issues and recommendations

The assessment team should use Templates 2.5.1 and 2.5.2 to prepare evaluation
summaries for the assessment. The appendices document the basis for the reporting
external assessment results. The appendices summarises the collective view of the
assessor or assessment team related to conformance with the Standards and the Code
of Ethics. The appendices also provide a documentation of the results of all work
performed and documented in previous appendices. Emerging issues should be brought
to the attention of the CAE as and when they arise.

4.6.3 Exit meeting

The exit meeting is mainly aimed at summarizing and formalizing the views of the full
external assessment team and the CAE. The assessment team should ensure that
individual observations are discussed with internal audit management as they arise such
that there are no surprises during the exit meeting.

A written guide for the exit meeting in the form of a written summary of successful
practices, observations and recommendations for those attending the exit meeting should
be prepared.

QAIP Guide Page | 40

record of the exit meeting should be documented and shared with the CAE for
concurrence.

4.6.4 Issuance of draft report for comments

The assessment team should draft the assessment report using the guidance provided in
Template 2.7.2. When preparing the draft assessment report, the assessment report
should consider the CAEs comments on the observations and recommendations which
will have been provided during the exit meeting. All external assessment reports shall
include the expression of an opinion or conclusion on the results of the external
assessment. In addition to concluding on the internal audit activity’s overall degree of
conformance with the Standards and Code of Ethics, the report shall include an
assessment for each standard and/or standard series.

The draft assessment report should be submitted to the CAE for comments within 14
days. The CAE will also be requested and required to provide proposed action plans and
timelines for implementation of recommendations from the assessment.

4.6.5 Issuance of final report to the Chief Audit Executive

Once the CAE provides comments, action plans and timelines for implementation of
recommendations from the assessment, the assessment team will consider such
comments and incorporate them in the draft. Where necessary the assessment team will
have engagements with the CAE before finalizing the assessment report. The
assessment team will issue the final report to the CAE who will be expected to distribute
copies to the Board (through the of the Audit Committee) and the executives to whom the
CAE reports to. Copies of the assessment report should also be addressed to other
individuals or groups who will have initiated the full external assessment.

QAIP Guide Page | 41

The CAE shall ensure compliance with standard 1320 which requires that the external
assessment results, including the conclusions on conformance, must be communicated
to the senior management and the Board.

QAIP Guide Page | 42

Chapter 5: Self-Assessment with Independent Validation

5.1 Overview

This chapter focusses on the second approach to conducting internal audit external
assessment. The approach mainly involves the use of self-assessment by the internal
audit activity led by the CAE and validation by an independent qualified external assessor
or assessment team.

5.2 Defining the scope and approach to the assessment

The primary objective is to assess conformance with the Standards and Code of Ethics.
Through consultation with the IAGD, the Board and senior management, the CAE should
define the scope of the self-assessment with independent validation, which may include
feedback on potential leading practices or identification of opportunities for enhancing
existing internal audit activity processes.

Planning, scheduling, and staffing the self-assessment will follow the same process the
internal audit activity uses to execute and control any assurance or consulting
engagement as per the Internal Audit Guide for PSEs. Assigning necessary resources to
complete the self-assessment will be part of the annual plan for the internal audit activity
for the year in which the self-assessment with independent validation is to be performed.
Progress updates regarding the self-assessment will be included with status reporting for
all other engagements in the process as a component of periodic reporting to senior
management and the Board.

When planning for an independent external self-assessment with independent validation

the internal audit activity at the PSE should consider the following: -

a) An evaluation of additional documentation and analysis required by the planning

tools (see Templates 2.1.1 -2.1.7) beyond what is readily available from the
Internal Audit Guide for PSEs and other internal audit activities documentation.

QAIP Guide Page | 43

b) An estimate of time required for distributing, collecting, and analyzing survey tools
(see Templates 2.2.1 and 2.2.2). This activity should be coordinated with the
external independent assessor as detailed out in section 5.4.
c) A proposal from the independent external assessor regarding the number of
interviews (Templates 2.3.1 – 2.3.4) they wish to conduct with the Board, senior
executives, operating management, and internal audit activity management and
staff. This activity should be coordinated with the external independent assessor
as detailed out in section 5.4.
d) An estimate of time required for the internal assessment team to complete the
assessment programs (see templates 2.4.1 -2.4.4). A critical assumption for this
estimate is the number of engagement files to be reviewed as part of the internal
audit process program.
e) A discussion with the independent external assessor regarding how much time
they need for their on-site work, and how far in advance of the on-site work they
want to receive documentation prepared by the internal audit activity’s internal
assessment team.

Upon completion of the on-site work by the independent external assessor, the self-
assessment with independent validation’s schedule should allow time for the external
assessor to complete the Independent Validation Statement. See templates 2.5.1 and
2.5.2.

5.3 Selecting the Independent External Assessor for a Self-Assessment with

Independent Validation

The PSE should make reference to Section 4.4.2 when selecting the independent
external assessor. More specifically provisions of standard 1312 should be adhered to
strictly. A qualified assessor or assessment team shall demonstrate competence in two
areas i.e., the professional practice of internal auditing and the external assessment
process. Competence can be demonstrated through a mixture of experience and
theoretical learning. Experience gained in organizations of similar size, complexity, sector

QAIP Guide Page | 44

or industry, and technical issues is more valuable than less relevant experience. In the
case of an assessment team, not all members of the team need to have all the
competencies; it is the team as a whole that is qualified.

The chief audit executive shall use professional judgment when assessing whether an
assessor or assessment team demonstrates sufficient competence to be qualified. An
independent assessor or assessment team means not having either an actual or a
perceived conflict of interest and not being a part of, or under the control of, the PSE to
which the internal audit activity belongs.

The CAE will consult with the Board and senior leadership as well as the IAGD regarding
selection of the external assessor or assessment team based on a thorough review of
their qualifications and experience. During the contracting process, the CAE shall also
obtain a signed statement from the external assessor or assessment team confirming
their independence as defined in the standards. The identified external assessor or
assessment team shall undertake a mandatory visit to the PSE to assess the readiness
of the PSE’s IAA to undertake the self-assessment with external validation before signing
the contract. In the event the PSE will not be ready for a self-assessment with external
validation the IAGD will provide further guidance for the PSE to conduct a full external
assessment.

5.4 Communication and Coordination with the External Validation Assessor

While most of the work in performing a self-assessment with independent validation is

completed by the internal audit activity’s internal assessment team, the external assessor
will perform some work during the on-site visit, and coordination with the internal
assessment team will facilitate completion of the external assessor’s work.

The internal assessment team (or CAE) and the external assessor should agree on who
will be asked to participate in the surveys and on the schedule for completing the surveys.
The internal assessment team shall be responsible for sending out the surveys, and
survey participants will normally send their responses directly to the external assessor for

QAIP Guide Page | 45

collation and evaluation of results. The external assessor will review results of the surveys
with the CAE and the internal assessment team during the on-site visit. The external
assessor will also use information gained from the surveys in completing interviews with
key stakeholders.

The internal assessment team (or CAE) and the external assessor should agree on who
will be interviewed and on the schedule for completing the interviews. Interviews shall be
conducted by the external assessor during the on-site visit. At a minimum, the external
assessor or assessment team shall interview the Board Audit Committee chair, the
Managing Director (MD/the Chief Executive Officer (CEO), the person to whom the
internal audit activity reports to administratively within the organization (if not the CEO),
and the external audit partner. Other interviews of key stakeholders shall specifically be
coordinated with the CAE.

During the on-site visit, the external assessor will review tests of audit engagement files
prepared by the internal assessment team. The external assessor may also want to
review other audit engagement files not reviewed by the internal assessment team. To
enable the external assessor to complete this review, the internal assessment team
should provide the external assessor with appropriate access to all the relevant
information.

5.5 Work to be completed before fieldwork

The CAE of the PSE shall be responsible for oversight of the completion of the self-
assessment of the internal audit activity using the same tools completed during the full
external assessment. See Appendices 2.1- 2.6. Key elements of the self-assessment to
be performed and documented by the internal audit activity’s internal assessment team
include: -

a) Completing the planning guides (see Templates 2.1.1 -2.1.6), which include an
analysis of the internal audit activity’s operations and answers to a series of

QAIP Guide Page | 46

questions that provide insight into the CAE’s views regarding specific conformance
criteria related to the Standards or the Code of Ethics.
b) Conducting surveys using the survey guides (see Templates 2.2.1 – 2.2.2) that
collect information from senior management, and internal audit management and
staff regarding various aspects of the internal audit activity. The results of the
surveys shall be sent directly to the external assessor or assessment team as
outlined in section5.4.
c) Executing the assessment programs (See Template 2.4.1-2.4.4) that are intended
to collect, evaluate, and document evidence of conformance with the Standards
and the Code of Ethics.
d) Summarizing results of the evaluation (See Templates 2.5.1 and 2.5.2).
e) Preparing a report (see Templates 2.6.4) of the results of the self-assessment to
be validated by the external assessor and eventually distributed to the Board and
other appropriate stakeholders.

All of the above materials shall be made available to the external assessor for use in
completing the review and validation of the self-assessment. The internal audit activity
shall coordinate with the external assessor or assessment team as to which documents
will be supplied to the external assessor before the on-site visit. The external assessor
will also schedule interviews to be conducted during the on-site visit.

5.6 Work to be performed during the fieldwork

While executing the work during the on-site visit, the external assessor shall review
documentation prepared by the internal assessment team and perform sufficient tests of
the self-assessment to validate results and express an opinion regarding conformance
with the Standards and the Code of Ethics to include:

a) Exercising professional judgment in determining the extent of testing of the self-

assessment based on the size and complexity of the internal audit activity.

QAIP Guide Page | 47

b) Conducting interviews with key stakeholders to follow up on any issues or
opportunities identified from the surveys—all within the agreed-upon scope of the
self-assessment with independent validation.

Since the internal audit activity’s internal assessment undertakes most of the self -
assessment work, the amount of time required on site by the external assessor is normally
much less than that required by an external assessment team performing a full external
assessment.

5.7 Reporting and Follow-Up

Upon completion of all the fieldwork, the independent external assessor will provide an
opinion confirming the results, or expressing disagreement with the self-assessment, as
appropriate. Relevant reporting templates are outlined in Appendix 2.7. If the external
assessor is not in agreement with the self-assessment report, the external assessor can
add dissenting wording to the report, specifying the points of disagreement.

The final report of the self-assessment with independent validation, in the format outlined
in Template 2.7.3, should be signed by the internal audit activity’s internal assessment
team and the independent external assessor and issued by the CAE to senior
management and the Board.

QAIP Guide Page | 48

Chapter 6: QAIP Monitoring and Follow-up

6.1. Overview

While the preceding chapters focused on establishment and implementation of the QAIP
by conducting internal and external assessments, this chapter outlines key issues that
must be addressed during monitoring, reporting and follow-up of QAIP activities. The
monitoring, reporting and follow up activities are necessitated by provisions of standard
1300 which requires the CAE to periodically evaluate the QAIP and provide updates to it.
As the internal audit matures, or as conditions within the internal audit activity change,
adjustments to the QAIP may become necessary to ensure that it continues to operate in
an effective and efficient manner and stakeholders are assured that it adds value by
improving the PSE’s operations.

6.2. Reporting and Follow-Up activities

The CAE shall hold discussions with senior management and the Audit Committee of
specific PSEs to agree on the form, content, and frequency of communicating results of
the QAIP. Communication of the results of QAIP activities shall include the following
minimum aspects:

a) The scope and frequency of both the internal and external assessments.
b) The qualifications and independence of the assessor(s) or assessment team,
including potential conflicts of interest.
c) Conclusions of assessors.
d) Corrective action plans.

To ensure compliance with standard 1320, the results of external and periodic internal
assessments shall be communicated within one month to the senior management and
within three months to the Audit Committee upon completion of such assessments.
Further IAGD shall undertake QAIP monitoring, follow up and reporting at least annually

QAIP Guide Page | 49

at a national level. The IAGD in collaboration with the CAEs drawn from various PSEs
shall also undertake continuous QAIP awareness activities within the country.

6.3. Internal Assessment Monitoring and Follow-Up activities

All PSEs shall conduct periodic internal assessments on annual basis and the
assessment shall include an evaluation of the internal audit activity’s conformance with
the Standards to support the internal audit activity’s statement of conformance as outlined
in Chapter 7 of this Guide.

Ongoing monitoring shall include reporting on internal audit Key Performance Indicators
(KPIs). The internal audit KPIs shall include: -

a) Percentage (%) of the audit plan completed.

b) Percentage (%) of audit recommendations that have been accepted or
implemented.
c) Status of management’s corrective actions.
d) Average time taken to issue reports for the internal audits conducted within the
reporting period.
e) Level of improvement due to implemented recommendations.
f) Financial gains such as prevention of revenue leakages and cost savings made
based in the IAA’s efforts.

The CAE shall also provide an annual report (in the first quarter of each financial year) to
senior management and the Board regarding the results of ongoing monitoring and
include any recommendations for improvement thereof. The report shall include
corrective action plans as well as progress against completion.

As outlined in the Internal Audit Guide for PSE’s, CAEs shall maintain a tracker of
corrective action plans from internal assessments. The CAEs shall ensure that follow-up
on the implementation of action plans from internal assessment is done at least annually
and reported to the senior management and the Board as outlined above. Refer to

Appendix 2.6.4: QAIP Monitoring Tool.

QAIP Guide Page | 50

6.4. External Assessment Monitoring and Follow-Up activities

When reporting the results of the external assessment, the CAE shall confirm the
qualifications and independence of the external assessor or assessment team to the
senior management and the Board. This confirmation shall be based on previous
discussions between the senior management and the Board regarding the external
assessor or assessment team which shall be held during the selection process regarding
their qualifications, independence, objectivity including actual, potential, or perceived
conflict of interest. The CAE shall explain the rating conclusion(s) from external
assessments to senior management and the Audit Committee, as well as the impact from
the results. The CAE shall communicate to senior management and the Audit Committee
any action plans to address recommendations from the external assessment.

As outlined in the Internal Audit Guide for PSE’s, CAEs shall maintain a tracker of
corrective action plans from external assessments. The CAEs shall ensure that follow-up
on the implementation of action plans from external assessment is done at least annually
and reported to the senior management and the Audit Committee. Refer to Appendix
2.6.3: QAIP Monitoring Tool.

QAIP Guide Page | 51

Chapter 7: Use of Conformance Statement and Disclosure of Non-
conformance

7.1. Overview

Both internal and external assessments of the internal audit activity are performed to
evaluate, and express an opinion on, the internal audit activity’s conformance with the
Standards and The IIA’s Code of Ethics. This chapter focuses on the use and disclosure
of conformance statement pursuant to standards 1321 and 1322. The first part of the
chapter dwells on how conformance statement will be used by PSEs while the later
section focuses on the disclosure of non-conformance statement by PSEs.

7.2. Proper use of Conformance Statement

The CAE shall discuss the usage of the statement “Conforms with the International
Standards for the Professional Practice of Internal Auditing” with the Audit Committee
regularly to gain and maintain an understanding of the Board’s expectations on the
matter.

PSEs internal audit activities shall only communicate, in writing or verbally, that their
internal audit activities conform with the Standards if results of the QAIP, including both
the internal and external assessment results, as required by Standard 1312, support such
a statement. Once an external assessment validates conformance with the Standards,
the internal audit activity may continue to use the statement, as long as internal
assessments continue to support such a statement, until the next external assessment.

The following considerations shall be made before making use of the conformance
statement: -

a) If the results of either the current internal assessment or most recent external
assessment do not confirm general conformance with the Standards and The IIA’s
Code of Ethics, the internal audit activity shall discontinue indicating that it is
operating in conformance.

QAIP Guide Page | 52

b) If an internal audit activity has been in existence at least five years and has not
completed an external assessment, the internal audit activity shall not indicate that
it is operating in conformance with the Standards.
c) If an internal audit activity has undergone an external assessment within the past
five years but has not conducted an internal assessment based on disclosures to
the Audit Committee on the frequency of internal assessment, the CAE shall
consider whether it is still operating in conformance and if appropriate to indicate
conformance until validated by an internal assessment.
d) An internal audit activity that has been in existence for less than five years may
indicate that it is operating in conformance with the Standards only if a documented
internal assessment (i.e., the periodic self-assessment) supports that conclusion.
e) If the internal audit activity has been in existence for more than five years since the
last external assessment was conducted in accordance with Standard 1312 –
External Assessments, the internal audit activity must cease indicating that it
operates in conformance, until a current external assessment is completed and
supports that conclusion.
f) If an external assessment reflects an overall conclusion that the internal audit
activity was not operating in conformance with the Standards, the internal audit
activity must immediately discontinue using any statements that indicate
conformance with the Standards. The internal audit activity shall not resume use
of a conformance statement until it has remediated the non-conformance and
conducted an external assessment to validate an overall assessment of
conformance with the Standards.

Since standards are principles based, the internal audit activity should consider the
overall conformance conclusion when determining its ability to use the conformance
statement. This should be considered in situations where the internal audit activity
achieves only partial conformance with one or more standards but demonstrates a clear
intent and commitment to ultimately achieving full conformance with the Standards.

Where a specific engagement fails to achieve conformance with the Standards, the
internal audit activity shall be required to disclose the lack of conformance.

QAIP Guide Page | 53

7.3. Disclosure of Non-conformance

This section of the Guide is based on Standard 1322. It is applicable where the CAE
concludes that the internal audit activity does not conform with the Standards and Code
of Ethics, and the lack of conformance may impact the overall scope or operation of the
internal audit activity. The CAEs of PSEs shall ensure that they have an understanding
of the mandatory elements of the International Professional Practices Framework, how
potential conformance deviations might affect the overall scope of the internal audit
activity, and the expectations of the Board and senior management for reporting any such
conformance issues.

The following are some of the key areas which shall result to disclosure of non-
conformance: -

a) Where assessments from internal and external assessments uncover impairments

to independence or objectivity. This includes where an internal auditor is assigned
to an audit engagement, but does not meet individual objectivity requirements.
b) Where assessments from internal and external assessments uncover resource
limitations.
c) Circumstances where an internal audit activity undertakes an engagement without
having the collective knowledge, skills, and experience needed to perform its
responsibilities as per Standard 1210 on Proficiency.
d) Circumstances where CAE fails to consider risk when preparing the internal audit
plan as per Standard 2010 on Planning.
e) Other conditions or circumstances that may affect the internal audit activity’s ability
to fulfill its responsibilities to stakeholders.

QAIP Guide Page | 54

Appendices

Appendix 1 – Reference Documents

Reference 1.1. International Professional Practices Framework (IPPF)

Reference 1.2: Internal Audit Guide for Public Sector Entities

QAIP Guide Page | 55

Appendix 2 – Quality Assurance and Improvement Program Tools and Checklists

Appendix 2.1 Planning Tools and Checklists

Template 2.1.1 Background Information and Document Request Checklist

Organization
Name:

Date Prepared:

Prepared By:

Reviewed By:

A. BACKGROUND INFORMATION

1. Organization background information:

a. Address of the
organization’s principal
location:

b. Website:

c. Geographical locations of
major operations:

d. Number of operating
locations:

e. Approximate number of
employees:

f. Additional background
information (e.g., asset
size, revenues):

QAIP Guide Page | 56

2. Name and title of the CAE:

3. Name and title of the person to whom the CAE reports:

a. Administratively:

b. Functionally:

4. Internal audit activity background information:

a. Address of the internal

audit activity’s principal
office:

b. Name and title of the

primary contact(s) for the
external assessment team:

c. Primary contact’s
telephone number and
email address:

5. Provide a brief history of the internal audit activity. Include information about
when it was started, about any change(s) of CAEs during the past 10 years,
an indication of its growth in the past 10 years, and significant changes in its
lines of reporting and authority, including the scope of work and the internal
organization. Please comment on the impact these changes had on the
internal audit activity’s effectiveness.

QAIP Guide Page | 57

B. DOCUMENT REQUEST CHECKLIST (for the assessment team) (continued)

Ref 2.4.1 2.4.2 2.4.3 2.4.4

# Documents P/O Governance Staff Management Process Comment

1 Audit committee P 1000 1200 2000

charter 1100

2 Audit committee O 1100 1200 2000

agendas and 2600
minutes (provide for
past calendar year to
include approval of
the internal audit
charter and the risk-
based plan)

3 PSE’s organization P 1000 2000

chart (show 1100
business unit heads
and internal audit
placement)

4 PSE’s governance O 2100

structure and
policies (e.g.,
strategy selection,
ethics, and IT
governance)

5 PSE’s risk O 2100

management
framework and
policies (e.g., ERM
process and reports)

6 PSE’s control O 2100

framework and
policy (e.g., COSO,

QAIP Guide Page | 58

delegation of
authority, and
accountability)

7 Internal audit P 1000 1200 2000

charter 1100 2600

8 Internal audit P 1000 1200 2000 2200

activity strategic 2300
plan and vision 2400
(strategic plan 2500
specific to the
internal audit activity)

9 Internal audit P 1100 1200

activity
organization chart

10 Internal audit P 1000

activity values and 1300
any customer
service standards

11 Internal audit P Code of

policy/procedure: Ethics
code of ethics (if
not included in
internal audit
manual)

12 Internal audit P 1100

policy/procedure:
independence and
objectivity (if not
included in internal
audit manual)

QAIP Guide Page | 59

13 Internal audit P 1200
policy/procedure:
staff development
(if not included in
internal audit
manual)

14 Internal audit job O 1200

descriptions

15 Internal audit P 1200

competency
framework or
model

16 Internal audit staff P 1200

profile (name,
position, years of
experience,
certifications, etc.)

17 Internal audit staff P 1200

training records
(sessions and
activities for the
current and prior
year)

18 Internal audit staff P 1200

performance
appraisal templates
(include example of
professional
development plan, if
applicable)

19 Internal audit P 1300 2000 2200

policy/procedure: 2300
(QAIP) (provide 2400

QAIP Guide Page | 60

documentation that 2500
describes how QAIP
is designed if not
included in internal
audit manual)

20 QAIP – ongoing P/O 1300

monitoring of
performance (e.g.,
performance metrics
and related reports,
results of customer
surveys, and
engagement quality
results)

21 QAIP – periodic P/O 1300

internal
assessment (e.g.,
results of latest
periodic internal
assessment
performed and
supporting
workpapers)

22 QAIP – annual P/O 1300

report on ongoing
monitoring of
performance
(usually included in
quarterly or annual
report to Audit
Committee)

23 QAIP – report on P 1300

periodic internal
assessment
(required to be

QAIP Guide Page | 61

communicated upon
completion)

24 QAIP – most recent P 1300

external
assessment report

25 Internal audit P 2000

policy/procedure:
audit plan/risk
assessment (if not
included in internal
audit manual)

26 Current year audit P/O 1200 2000

plan and
supporting
information (audit
universe, risk
assessment, staffing
analysis, budgets,
resource allocation,
assurance map, etc.)

27 Prior year audit plan P/O 1200 2000

and supporting
information (audit
universe, risk
assessment, staffing
analysis, budgets,
resource allocation,
assurance map, etc.)

28 Audit plan – P 2000

current plan vs.
actual
engagements

29 Audit plan – prior P 2000

QAIP Guide Page | 62

plan vs. actual
engagements

30 Service provider O 1200 2000

engagement letters
or contracts (for co-
sourced or
outsourced internal
audit services)

31 Periodic reports to O 2000

the Audit
Committee/senior
management on
internal audit
results (provide for
the most recent 12
months)

32 Internal audit P 2000

policy/procedure
manual (provide
entire manual)

33 Internal audit P 2200

policy/procedure: 2300
engagement
planning/risk
assessment (if not
included in internal
audit manual)

34 Internal audit P 2300

policy/procedure:
performing
assurance and
consulting
engagements (if not
included in internal

QAIP Guide Page | 63

audit manual)

35 Internal audit P 2000 2400

policy/procedure:
communicating
results (if not
included in internal
audit manual)

36 Internal audit P 2600 2500

policy/procedure:
monitoring
progress (if not
included in internal
audit manual)

37 Recent status O 2600 2500

reports used to
monitor the
disposition of
internal audit
recommendations
and/or agreed-upon
management
actions

38 A list of all audit P 1100 1200 2200

engagements 1300 2300
completed in the 2400
current and prior
2500
year (to be used in
selecting a sample of
projects for quality
assessment)

39 Supporting records O 1100 1200 2200

for audit 1300 2300
engagements (for 2400
the sample of
2500

QAIP Guide Page | 64

projects selected for
the quality
assessment)

40 A list of software or P 1200 2300

computer-assisted
auditing
techniques
(CAATs) used by
the internal audit
activity

41 Specific laws or O 1000

regulations with
which the internal
audit activity must
comply (typically
industry specific)

42 The PSE’s latest O 1100 2000

annual report

43 Marketing materials P/O 2000

used by the
internal audit
activity to promote
the role of internal
audit in the
organization

QAIP Guide Page | 65

Template 2.1.2 Internal Audit Governance Assessment Tool

Organization
Name:

Date Prepared:

Prepared By:

Reviewed By:

Instructions for Completion

1. Complete this form for a full external assessment and a self-assessment with
independent validation. This form may be completed as a component of a
periodic internal self-assessment.

2. Please provide a response to each open-ended question in the space

provided and reference documents provided in appendix 2.1.1, “Background
Information and Document Request Checklist”, if appropriate. The reference
at the end of each question is the primary standard, where the information
will be used to evaluate the internal audit activity. Your responses are
intended to provide context to the documents and information provided in
appendix 2.1.1, as well as specific conformance criteria embedded in the
applicable Standards.

3. For each major series of Standards, list and comment on any successful
internal audit practices demonstrated by your internal audit activity or
opportunities for continuous improvement that you identified as a component
of this planning process. These items will be specifically considered by the
external assessor or assessment team.

QAIP Guide Page | 66

Standard 1000 – Purpose, Authority, and Responsibility

1. Please describe the CAE’s vision

for the internal audit activity and
the internal audit activity’s core
values, client service objectives,
and strategies. (1000)

2. Describe how the CAE ensures

that internal audit activity
management and staff
understand these attributes.
(1000)

3. Please comment on how the

internal audit activity develops
effective working relationships
with internal audit stakeholder
groups and understands their
expectations and appetite for
value-added internal audit
services. (1000)

4. Please comment on how the

internal audit activity is viewed
within the organization. Are they
viewed as a necessity or as a
valued business partner? Do key
stakeholders understand the
purpose, authority, and
responsibilities of the internal
audit activity? (1000)

5. Is the internal audit charter

consistent with the Mission of
Internal Audit and the mandatory
elements of the IPPF (i.e., Core
Principles for the Professional
Practice of Internal Auditing,
Definition of Internal Auditing,
Code of Ethics, and the
Standards), and does it

QAIP Guide Page | 67

specifically describe their
mandatory nature? (1010)

6. How does the internal audit

charter differentiate between
performing assurance and
consulting services? (1000)

7. Does the internal audit specifically

describe the nature of the
functional reporting relationship
with the Board, and is this
description consistent with the
current practice? (1000)

8. How frequently is the internal audit

charter reviewed by the CAE and
presented to senior management
and the Board for approval?
(1000)

9. Please list and comment on any successful practices related to Standard 1000
identified as part of this planning process and that should be considered by the
assessor or assessment team in their overall evaluation.

QAIP Guide Page | 68

10. Please list and comment on any opportunities for continuous improvement related
to Standard 1000 identified as part of this planning process and that should be
considered by the assessor or assessment team in their overall evaluation.

Standard 1100 – Independence and Objectivity and the Code of Ethics

1. Please describe how the

functional reporting relationship
for the CAE supports
independence and objectivity.
(1110)

2. Please describe how this

functional reporting relationship
allows the CAE to communicate
sensitive audit results and
significant risks without fear of
retribution. (1110)

3. Please describe how the

administrative reporting
relationship for the CAE allows
the internal audit activity to fulfill
its responsibilities. (1110)

QAIP Guide Page | 69

4. Is the internal audit activity free
from interference in determining
the scope of internal auditing,
performing work, and
communicating results? If not,
please describe the impairment
(in fact or in appearance). (1110)

5. Please comment on how the

internal audit organization
structure promotes the
achievement of the internal audit
activity’s mission and goals.
(1110)

6. How does the CAE specifically

confirm the organizational
independence of the internal audit
activity annually? What form does
the confirmation take, and where
is it documented?

7. Describe the frequency and the

manner in which the CAE and the
internal audit activity interact with
the Board. (1111)

8. Describe other areas of

responsibility for the CAE beyond
internal auditing, and comment on
how these areas are managed to
support independence and
objectivity. (1112)

9. Are there any significant

impairments (in fact or in
appearance) to the internal audit
activity’s independence
objectivity? If yes, have the
impairments been disclosed to the
appropriate parties? (1120 and
1130)

QAIP Guide Page | 70

10. How does the CAE support the
expectation that the audit staff
will conform to the Code of Ethics
requirements? Is periodic training
conducted? Do internal audit
activity management and staff
affirm that they are operating
independently and objectively?
Do internal audit activity
management and staff sign off
annually that they have read,
understand, and agree to abide
by the Code of Ethics? (1120 and
Code of Ethics)

11. Please list and comment on any successful practices related to Standard 1100
and the Code of Ethics that you identified as part of this planning process and that
should be considered by the assessor or assessment team in their overall
evaluation.

12. Please list and comment on any opportunities for continuous improvement related
to Standard 1100 and the Code of Ethics that you identified as part of this planning
process and that should be considered by the assessor or assessment team in
their overall evaluation.

QAIP Guide Page | 71

Standard 1300 – Quality Assurance and Improvement Program

1. Has a QAIP been established for

the internal audit activity? If so, is
it formally documented? (1300)

2. Describe how the internal audit

activity satisfies the ongoing
monitoring of performance
components of the QAIP to
ensure quality on an audit-by-
audit basis. (1311)

3. Describe the performance metrics

used to measure ongoing
monitoring of performance for the
internal audit activity. (1311)

4. Describe the frequency and

process used for the periodic
internal assessment component
of the QAIP. (1311)

5. Comment on the frequency and

form of the external assessment
component of the QAIP. (1312)

6. When was the last external

assessment performed? Was it a
full external assessment or a self-
assessment with independent
external validation? (1312)

QAIP Guide Page | 72

7. Please comment on how the CAE
encouraged Board oversight over
the external assessment to
reduce perceived or potential
conflicts of interest. (1312)

8. Describe how the frequency and

manner in which results of the
QAIP (internal and external
assessments) are communicated
to senior management and the
Board. (1320)

9. Do you state that the internal

audit activity “conforms with the
International Standards for the
Professional Practice of Internal
Auditing”? (1321)

10. If yes, which documents include

the conformance notations (e.g.,
internal audit charter,
engagement reports)? (1321)

11. Please list and comment on any successful practices related to Standard 1300
that you identified as part of this planning process and that should be considered
by the assessor or assessment team in their overall evaluation.

12. Please list and comment on any opportunities for continuous improvement related
to Standard 1300 that you identified as part of this planning process and that
should be considered by the assessor or assessment team in their overall
evaluation.

QAIP Guide Page | 73

QAIP Guide Page | 74
Template 2.1.3 Internal Audit Staff Assessment Tool

Organization
Name:

Date Prepared:

Prepared By:

Reviewed By:

Instructions for Completion

1. Complete this form for a full external assessment and a self-assessment with
independent validation. This form may be completed as a component of a
periodic internal self-assessment.

2. Please provide a response to each open-ended question in the space

QAIP Guide Page | 75

Standard 1200 – Proficiency and Due Professional Care

1. What documents (e.g., job

descriptions, competency
frameworks, or models) are
used to identify and evaluate
the core competencies,
knowledge, skills, and
specialized areas of knowledge
that the internal audit staff must
possess or obtain? (1210)

2. Please comment on how the

core competencies in these
documents are kept current and
used in internal audit
annual/strategic planning. How
does the internal audit activity
keep current in terms of trends
and emerging issues to enable
relevant advice and
recommendations? (1210)

3. Are specialized areas of

knowledge (e.g., IT, treasury,
engineering, or
legal/compliance) required on
some audit engagements? If
yes, what are the specialized
areas of knowledge and how do
you staff these engagements
(e.g., subject matter experts on
staff, guest auditors, or rotation
programs, co-sourcing)? (1210)

4. Please comment on whether the

internal audit activity is viewed
as a source of talent in the
organization. (1210)

QAIP Guide Page | 76

5. Please provide your perspective on the level of competency within the internal
audit activity related to the categories below. The description should include
areas of strength as well as opportunities for continuous improvement. (1210)

a. General competencies
(communication, ability to
promote the value of internal
audit, and problem
identification and solution
skills)

b. Behavioral skills
(confidentiality, objectivity,
judgment, works well with all
management levels,
governance, and ethics
sensitivity)

c. Technical skills (e.g.,

understand the business, risk
analysis and control
assessment techniques,
business process analysis,
risk analysis and control
assessment techniques)

d. Knowledge (e.g., auditing

and standards, organizational
culture, governance and risk
management, industry
knowledge)

6. Please describe how the internal

audit activity considers the use
of technology-based audit and
other data analysis techniques
for risk assessment, planning,
and engagement execution.
(1220)

QAIP Guide Page | 77

7. Describe how individual audit
staff members are made aware
of their due professional care
responsibilities. How do you
monitor conformance? (1220)

8. Please describe how internal

audit management is kept
aware of changes in
professional guidance and
responsibilities related to the
Core Principles and Code of
Ethics.

9. How is continuing professional

development for internal audit
management and staff
supported? How is professional
development linked to
performance evaluation? (1230)

10. Please describe your process

for onboarding or induction of
new personnel into the internal
audit activity. (1230)

11. Please list and comment on any successful practices related to Standard 1200
that you identified as part of this planning process that should be considered by
the assessor or assessment team in their overall evaluation.

12. Please list and comment on any opportunities for continuous improvement
related to Standard 1200 that you identified as part of this planning process
that should be considered by the assessor or assessment team in their overall
evaluation.

QAIP Guide Page | 78

QAIP Guide Page | 79
Template 2.1.4 Internal Audit Management Assessment Tool

Organization
Name:

Date Prepared:

Prepared By:

Reviewed By:

Instructions for Completion

1. Complete this form for a full external assessment and a self-assessment with
independent validation. This form may be completed as a component of a
periodic internal self-assessment.

2. Please provide a response to each open-ended question in the space

QAIP Guide Page | 80

Standard 2000 – Managing the Internal Audit Activity

1. Is there a strategic plan specific to

your internal audit activity? If so,
please describe how the strategic
plan is developed and executed. The
description should include inputs into
the plan, communication, and
approval of the plan, and monitoring
and reporting on the progress of
initiatives included in the plan. (2000)

2. Describe how the internal audit

activity ensures the completeness of
the audit universe. Also comment on
potential auditable activities that
have been excluded from your plan
or are placeholders (i.e., have not
been audited) for future coverage.
How are areas of emerging risk
captured and included in the audit
universe? (2010)

3. Describe the process used to develop

the risk-based audit plan, including
inputs into the plan from key
stakeholders, senior management
and the Board; consideration of the
organization’s strategies, key
business objectives, associated
risks, and risk management
processes; the process used to
prioritize items in the audit universe;
and approval of the risk-based plan
by the Board. (2010 and 2020)

4. Please describe the process for

communicating and obtaining
approval for significant changes to
the approved annual audit plan.
Have thresholds been established to
determine the level of significance?
Is approval of changes reflected in
Audit Committee meeting minutes?
(2010)

QAIP Guide Page | 81

5. How is time allocated between
financial, operational, compliance, IT,
and consulting activities in the
annual audit plan? (2010)

6. Please describe how internal audit

activity resources are linked to the
annual audit plan objectives in terms
of numbers, skills, and
competencies. How does the CAE
communicate the impact of resource
limitations, if any, to senior
management and the Board? (2010
and 2030)

7. Briefly describe the process that is

used to develop, maintain, and
implement the internal audit policy
and procedure manual. (2040)

8. Please list the other assurance

providers within the organization
(e.g., ERM, compliance, quality, or
environmental) and briefly describe
how the internal audit activity shares
information and coordinates activities
with these groups. (2050)

9. Please comment on any use of

assurance maps, internal audit’s
reliance on the work of other
assurance providers, and the
interaction with subject matter
experts from within the organization
(e.g., guest auditors). (2050)

10. Please describe the level of

interaction and coordination with the
external auditors. What level of
reliance is placed on the work of the
internal audit activity by the external
auditors? (2050)

11. Briefly describe your periodic

reporting to senior management and

QAIP Guide Page | 82

the Board (i.e., frequency and
content of meetings, informal
contacts, frequency of private
sessions with the Board/Audit
Committee, etc.). Also, comment on
senior management and the Board
expectations regarding overall
opinions and any other comments
about communication and reporting
practices. (2060)

12. Briefly describe the communications that take place between the internal audit
activity and senior management and the Board related to the areas below. Include
the date when the communication last took place and where the communication is
documented. (2060)

a. Internal audit charter.

b. Independence of the internal audit

activity.

c. The audit plan and progress

against the plan.

d. Resource requirements.

e. Results of audit activities.

f. Conformance with the Code of

Ethics and the Standards, and
action plans to address any
significant conformance issues.

g. Management’s response to risk

that, in the CAE’s judgment, may
be unacceptable to the
organization.

QAIP Guide Page | 83

13. Please list any third-party providers
of outsourced or co-sourced internal
audit services used by the
organization. If the internal audit
activity is outsourced, describe how
the third-party provider has made the
organization aware that the
organization has the responsibility for
maintaining an effective internal audit
activity. If internal audit services are
co-sourced, please briefly describe
the interaction with the third-party
provider. (2070)

14. Please list and comment on any successful practices related to Standard 2000 that
you identified as part of this planning process that should be considered by the
assessor or assessment team in their overall evaluation.

15. Please list and comment on any opportunities for continuous improvement related
to Standard 2000 that you identified as part of this planning process that should be
considered by the assessor or assessment team in their overall evaluation.

QAIP Guide Page | 84

Standard 2100 – Nature of Work

1. Please comment on how internal audit contributes to the improvement of the

organization’s governance processes related to:

a. Making strategic and operational

decisions. (2110)

b. Overseeing risk management and

control. (2110)

c. Promoting appropriate ethics and

values within the organization.
(2110)

d. Ensuring effective organizational

performance management and
accountability. (2110)

e. Communicating risk and control

information to appropriate areas of
the organization. (2110)

QAIP Guide Page | 85

f. Coordinating the activities of, and
communicating information
among, the Board, external and
internal auditors, other assurance
providers, and management.
(2110)

2. Describe how the internal audit

activity evaluates the design,
implementation, and effectiveness of
the organization’s ethics-related
objectives, programs, and activities.
(2110)

3. Describe how the internal audit

activity assesses whether the IT
governance of the organization
supports the organization’s
strategies and objectives. (2110)

4. Please describe the internal audit

activity’s role in risk management in
the organization. Specifically
comment on the interaction with the
ERM activity and the role (if any) that
the CAE plays, including any
management responsibilities. (2120)

5. Please describe internal audit’s role

in evaluating control within the
organization. Specifically comment
on the use of control frameworks by
internal audit. (2130)

6. Please provide examples of how the

internal audit activity has contributed
to the improvement of the
organization’s governance, risk
management, and control
processes. Comment on current
priorities and any future plans for
increasing the value of the internal
audit activity’s services. (2110,
2120, and 2130)

QAIP Guide Page | 86

7. Please list and comment on any successful practices related to Standard 2100 that
you identified as part of this planning process that should be considered by the
assessor or assessment team in their overall evaluation.

8. Please list and comment on any opportunities for continuous improvement related
to Standard 2100 that you identified as part of this planning process that should be
considered by the assessor or assessment team in their overall evaluation.

Standard 2450 – Overall Opinions

1. Does the internal audit activity

provide an overall opinion related
to any of their activities? If so,
describe how the overall opinion
takes into consideration the
strategies, objectives, and risks of
the organization, and the
expectations of senior
management, the Board, and other
stakeholders. (2450)

QAIP Guide Page | 87

2. If an overall opinion is provided,
describe how the communication is
structured and the process used to
ensure the overall opinion is
supported by sufficient, reliable,
relevant, and useful information.
(2450)

3. Please list and comment on any successful practices related to Standard 2450
that you identified as part of this planning process that should be considered by
the assessor or assessment team in their overall evaluation.

4. Please list and comment on any opportunities for continuous improvement

related to Standard 2450 that you identified as part of this planning process that
should be considered by the assessor or assessment team in their overall
evaluation.

QAIP Guide Page | 88

Standard 2600 – Communicating the Acceptance of Risks

1. Please describe the process to

communicate situations where the
CAE concludes that senior
management has assumed a level
of risk that may be unacceptable to
the organization. (2600)

2. Please list and comment on any successful practices related to Standard 2600
that you identified as part of this planning process that should be considered by
the assessor or assessment team in their overall evaluation.

3. Please list and comment on any opportunities for continuous improvement

related to Standard 2600 that you identified as part of this planning process that
should be considered by the assessor or assessment team in their overall
evaluation.

QAIP Guide Page | 89

Template 2.1.5 Internal Audit Process Assessment Tool

Organization
Name:

Date Prepared:

Prepared By:

Reviewed By:

Instructions for Completion

1. Complete this form for a full external assessment and a self-assessment with
independent validation. This form may be completed as a component of a
periodic internal self-assessment.

2. Please provide a response to each open-ended question in the space

provided and reference documents provided in appendix 2.1.1, “Background
Information and Document Request Checklist,” if appropriate. The reference
at the end of each question is the primary standard, where the information
will be used to evaluate the internal audit activity. Your responses are
intended to provide context to the documents and information provided in
appendix 2.1.1, as well as specific conformance criteria embedded in the
applicable Standards.

QAIP Guide Page | 90

Standard 2200 – Engagement Planning

1. Please describe your approach to

engagement-level planning in terms
of establishing objectives and scope.
How is engagement-level planning
linked to the overall annual audit
plan? (2201 and 2220)

2. Please describe how you approach

engagement-level risk assessment.
How is engagement-level risk
assessment linked to the objectives,
scope, and work program? Is a risk
and control matrix used? (2201,
2210, and 2220)

3. Please describe how you consider

the potential for fraud during the
engagement-level planning process.
(2201)

4. What are the documents that you

require as a component of your
planning process (e.g., planning
memo, risk and control matrix, work
program)? (2201)

5. Do you differentiate between

assurance and consulting
engagements from a planning
perspective? If so, please describe
the differences. (2201)

6. How do you ensure that the

resources assigned to the
engagement are sufficient in terms of
numbers, skills, and competencies?
(2230)

QAIP Guide Page | 91

7. Please describe the process for
establishing the work program to link
planning with fieldwork. Is the work
program and significant changes to
the work program approved in
advance and documented? (2240)

8. Please list and comment on any successful practices related to Standard 2200 that
you identified as part of this planning process that should be considered by the
assessor or assessment team in their overall evaluation.

9. Please list and comment on any opportunities for continuous improvement related
to Standard 2200 that you identified as part of this planning process that should be
considered by the assessor or assessment team in their overall evaluation.

QAIP Guide Page | 92

Standard 2300 – Performing the Engagement

1. Describe how information captured

during the audit process is sufficient,
reliable, relevant, and useful to meet
the engagement’s objectives. (2310)

2. Describe how information is analyzed

to support engagement observations.
Describe the use of data analytics
and root-cause analysis. (2320)

3. Please comment on how work

performed during an engagement
(assurance or consulting) is
documented. Are electronic
workpapers used? Are checklists
and templates used to support
consistency, quality, and
sustainability? (2330)

4. Please describe how the CAE

controls access to engagement
records. Is there a retention policy
specific to internal audit activity
workpapers? (2330)

5. Please describe the critical points

where supervisory review and
approval is demonstrated in the
workpapers. Is this review and
approval process specifically
documented? (2340)

6. Please list and comment on any successful practices related to Standard 2300 that
you identified as part of this planning process and that should be considered by the
assessor or assessment team in their overall evaluation.

7. Please list and comment on any opportunities for continuous improvement related
to Standard 2300 that you identified as part of this planning process and that

QAIP Guide Page | 93

should be considered by the assessor or assessment team in their overall
evaluation.

Standard 2400 – Communicating Results

1. Describe the standard elements in

your engagement reports. Is a
template used to ensure consistency
of the reporting process? (2400)

2. Are there different reporting

mechanisms for assurance
engagements and consulting
engagements? (2400)

3. Describe the basis for the ratings or

conclusions in engagement reports.
Is an overall rating or conclusion
provided? Are individual
observations rated by significance?
Are rating criteria specifically defined
in the report? Is an executive
summary used? (2410)

4. Please comment on the level of

acceptance of reported observations
shown in engagement reports. Do
stakeholders view reports as being
valuable and insightful? (2420)

QAIP Guide Page | 94

5. Describe your view of quality related
to the engagement reporting
process. Are reports accurate,
objective, clear, concise,
constructive, complete, and timely?
How do you deal with circumstances
where there may be error or
omission in communicated results?
(2420 and 2421)

6. Do you use the term “conducted in

conformance with the International
Standards for the Professional
Practice of Internal Auditing”? If so,
what is the basis for its use? (2430)

7. Describe how you manage

distribution of audit reports to ensure
results are given due consideration.
Who receives copies of all audit
reports? (2440)

8. Please list and comment on any successful practices related to Standard 2400 that
you identified as part of this planning process and that should be considered by the
assessor or assessment team in their overall evaluation.

9. Please list and comment on any opportunities for continuous improvement related
to Standard 2400 that you identified as part of this planning process and that
should be considered by the assessor or assessment team in their overall
evaluation.

QAIP Guide Page | 95

Standard 2500 – Monitoring Progress

1. Describe the process to monitor

results of engagements. Is there a
tracking mechanism to monitor the
status of all reported observations?
Are open items communicated to
senior management and the Board?
(2500)

2. Please describe the process to

modify the due date for reported
observations. Are changes reported
to senior management and the
Board? Does anyone specifically
approve the changes? (2500)

3. Describe the actual follow-up process

for open observations. Is there a
specific follow-up audit performed?
Are desktop procedures performed?
Are follow-up procedures customized
for significance of reported
observations? (2500)

4. Please list and comment on any successful practices related to Standard 2500 that
you identified as part of this planning process that should be considered by the
assessor or assessment team in their overall evaluation.

1. Please list and comment on any opportunities for continuous improvement related
to Standard 2500 that you identified as part of this planning process and that
should be considered by the assessor or assessment team in their overall
evaluation.

QAIP Guide Page | 96

Template 2.1.6 Survey Contacts Documentation Tool (Optional)

Organization
Name:

Date Prepared:

Prepared By:

Reviewed By:

Administration (See appendix B for guidance regarding surveys.)

Note: When choosing members of executive leadership and operating management

to respond to the survey, the quality assessment team leader—working with the
CAE—should select individuals from areas where assurance and/or consulting
engagements have been performed during the past one to two years. Selecting recent
audit “clients” will enhance the quality of information obtained from the survey. It is
acceptable to include the Audit Committee and/or the Board in the survey process.

Key Stakeholders - Executive and Management Leadership

Name Title Email

QAIP Guide Page | 97

Template 2.1.7 Interview Schedule Tool (Optional)

Organization
Name:

Date Prepared:

Prepared By:

Reviewed By:

Administration (See appendix C for guidance regarding interviews.)

Note: When choosing members of executive leadership and operating management for
interviews, the quality assessor—working with the CAE—should select individuals who have
a working relationship with the internal audit activity and have an understanding of the
operation and role of the internal audit activity in the organization. Individuals that are
typically interviewed are included in the table below.

Board Members and Senior and Operating Leadership

Location and/or Phone

Name Title/Role Date/Time
Number

Audit Committee
Chair
(or equivalent)

CEO

Executive to whom
the CAE reports

CFO

QAIP Guide Page | 98

CIO

COO

QAIP Guide Page | 99

External and Internal Assurance Providers

Name Title/Role Date/Time Location and/or

Phone
Number

External Audit
Provider
(or equivalent)

Chief Risk Officer

Chief Compliance
Officer

QAIP Guide Page | 100

Internal Audit Management and Staff

Name Title/Role Date/Time Location and/or

Phone
Number

CAE (or equivalent)

QAIP Guide Page | 101

Appendix 2.2 Survey Tools

Template 2.2.1 Senior Management Survey Tool

NOTE TO CHIEF AUDIT EXECUTIVES

The attached survey is intended for distribution to individuals within your organization who
can provide feedback on the operation of your internal audit activity. You should consider
selecting members of executive leadership who interact with you and/or your management
and staff. When choosing members of operating management to respond to this survey,
you should consider selecting individuals from areas where assurance and/or consulting
engagements have been performed during the past one to two years. You might also
consider including members of the Board or Audit Committee in the survey process. This
can provide valuable insight into perspectives of this critical governance group.

As CAE, you should also complete this survey, providing your best assessment of how
your operating management and executive leadership will respond to each statement.
Comparing your answers with survey results from your executives and operating
managers will provide the external assessor or assessment team with possible
opportunities for improvement, as well as possible areas of successful practice for your
internal audit activity.

Please prepare a cover memo explaining the purpose of the survey in the context of the
external review of your internal audit activity and note that individual survey responses will
remain confidential. Completed surveys should be sent directly to the external assessor
or assessment team who will summarize the results for analysis and discussion with you
and your staff.

Please indicate your responses to the statements below:

QAIP Guide Page | 102

Internal Audit Governance (use for appendix 2.4.1)

Strongly Agree Disagree Strongly Don’t

Agree Disagree Know

1. Internal audit activity staff respects the

value and ownership of information
they receive and do not disclose
information without appropriate
authority unless there is a legal or
professional obligation to do so.

2. Internal audit activity staff exhibits the

highest level of professional objectivity
in performing their work, makes a
balanced assessment of all relevant
circumstances, and are not influenced
by their own interests or by others in
forming judgments.

3. The internal audit activity is perceived

as adding value and helping our
organization accomplish its objectives.

4. The integrity of the internal audit activity

establishes confidence, providing the
basis for its role as trusted advisor
within our organization.

5. Organizational placement of the internal

audit activity ensures its independence
and ability to fulfill its responsibilities.

6. Internal audit activity staff has free and

unrestricted access to records,
information, locations, and employees
during the performance of their
engagements.

QAIP Guide Page | 103

Internal Audit Staff (use for appendix 2.4.2)

Strongly Strongly Don’t

Agree Agree Disagree Disagree Know

7. Internal audit activity staff communicates

effectively (oral, written, and
presentations).

8. Internal audit activity staff keeps up to

date with changes in our business, our
industry, and the relevant regulatory
issues.

9. Internal audit activity staff displays

adequate knowledge of the business
processes, including critical success
factors.

10. Internal audit activity staff exhibits

effective problem-identification and
solution skills.

11. Internal audit activity management

demonstrates effective conflict-
resolution and negotiating skills.

12. The internal audit activity staff is viewed

as a viable source of talented
individuals who can successfully
transfer to other parts of our
organization.

QAIP Guide Page | 104

Internal Audit Management (use for appendix 2.4.3)

Strongly Agree Disagree Strong- Don’t

Agree ly Know
Disa
gree

13. Internal audit activity management

communicates effectively (oral, written, and
presentations).

14. Internal audit activity management keeps

up to date with changes in our business,
our industry, and the relevant regulatory
issues.

15. The internal audit activity management

establishes annual audit plans to assess
areas or topics that are significant to our
organization and consistent with our
organizational goals.

16. The internal audit activity management

sufficiently communicates its audit plans to
management of areas being reviewed. This
includes descriptions of audit objectives
and scope of review.

17. The internal audit activity management

effectively promotes appropriate ethics and
values within our organization.

18. The internal audit activity management

adequately assesses the effectiveness of
risk management processes employed by
management to achieve objectives.

19. The internal audit activity management

competently assesses the adequacy and
effectiveness of our organization’s system
of internal controls.

QAIP Guide Page | 105

Internal Audit Process (use for appendix 2.4.4)

Strongly Strongly Don’t

Agree Agree Disagree Disagree Know

20. The internal audit activity exhibits

proficient project management and
organizational skills to the timely
completion of its audit engagements.

21. The internal audit activity demonstrates

sufficient knowledge of key information
technology risks and controls in
performing its audit engagements.

22. The internal audit activity demonstrates

sufficient knowledge of fraud to identify
“red flags,” indicating possible fraud
when planning its audit engagements.

23. Internal audit activity audit reports are

accurate, objective, clear, concise,
constructive, complete, and timely.

QAIP Guide Page | 106

Your Comments

24. What would you describe as

areas of strength for the
internal audit activity? What
things do they do well that you
would like them to continue
doing or expand upon? (Include
new or existing areas where
you think additional audit
services would be helpful.)

25. What areas would you describe

as opportunities for
improvement for the internal
audit activity? What things
would you like to see them stop
doing? (Include your
suggestions for how audit
services could be improved.)

26. Specifically, how might the

internal audit activity better add
value to your organization?

27. Additional comments:

QAIP Guide Page | 107

Template 2.2.2 Internal Audit Staff Survey Tool

NOTE TO CHIEF AUDIT EXECUTIVES

The attached survey is intended for distribution to individuals on your staff to provide
feedback on the operation of your internal audit activity. You should consider requiring the
completion of the survey to be mandatory. Receiving responses to the following survey
from all of your staff will give you and the external assessor or assessment team the most
complete picture of how your staff views the operation of your internal audit activity.

As CAE, you should also complete this survey, providing your best assessment of how
your staff will respond to each statement. Comparing your answers with survey results
from your staff will provide the external assessor or assessment team with possible
opportunities for improvement, as well as possible areas of successful practice for your
internal audit activity.

Please prepare a cover memo explaining the purpose of the survey in the context of the
external assessment of your internal audit activity and note that individual survey
responses will remain confidential. Completed surveys should be sent directly to the
external assessor or assessment team who will summarize results for analysis and
discussion with you and your staff.

Please indicate your responses to the statements below:

Internal Audit Governance (use for appendix 2.4.1)

Strongly Strongly
Disagree Don’t Know
Agree Agree Disagree

1. Our internal audit activity is perceived as

adding value and helping our
organization accomplish its objectives.

QAIP Guide Page | 108

2. Our internal audit activity staff has free
and unrestricted access to records,
information, locations, and employees
during the performance of their
engagements.

3. My CAE effectively promotes the value of

our internal audit activity within our
organization.

4. Our internal audit activity staff is fully

aware of and completely conforms to
both the Principles and the Rules of
Conduct that comprise the Code of Ethics
established by The IIA.

5. Our internal audit activity staff is fully

aware of and completely conforms to The
IIA’s International Standards for the
Professional Practice of Internal Auditing
relating to objectivity and due
professional care and the Code of Ethics.

6. Our internal audit activity has a conflict of

interest policy to report any perceived or
actual issues that may have an influence
on the independence and objectivity of
the auditors.

Internal Audit Staff (use for appendix 2.4.2)

Strongly Strongly Don’t

Agree Agree Disagree Disagree Know

7. Our internal audit activity management

provides us with opportunities to keep up
to date with changes in our business,
industry, and relevant regulatory issues.

8. Our audit assignments provide internal

audit activity staff with opportunities to
develop adequate knowledge of key
business processes, including critical
success factors.

QAIP Guide Page | 109

9. I have sufficient knowledge of key IT risks
and controls to perform my audit
engagements.

10. I have sufficient knowledge of fraud to

identify “red flags,” indicating possible
fraud when planning my audit
engagements.

11. Our internal audit activity management

provides ample opportunities to develop
the skills and knowledge necessary to
perform all of my audit engagements.

12. Our internal audit activity management

provides ample opportunities to develop
skills and knowledge, and acquire
experience that enables me to develop
professionally and advance my career.

13. I have ample opportunity to enhance my

knowledge, skills, and competencies
through in-house training sessions and/or
outside seminars.

14. My performance is reviewed on a regular

and sufficiently frequent basis; the criteria
used are adequate and the reviews are
meaningful and helpful.

15. Our internal audit activity management

encourages and supports the internal
audit activity staff in demonstrating its
proficiency by obtaining appropriate
professional certifications, such as
designations offered by The IIA or other
designations related to internal auditing.

16. Our internal audit activity is viewed as a

valuable developmental assignment by
individuals from other parts of our
organization.

QAIP Guide Page | 110

Internal Audit Management (use for appendix 2.4.3)

Strongly Strongly Don’t

Agree Agree Disagree Disagree Know

17. Our internal audit activity management

has established policies and procedures
that clearly guide the operation of our
internal audit activity.

18. Our internal audit activity actively

encourages collaborative effort between
internal audit management and staff for
effective completion of our engagements
in a timely manner.

19. Our internal audit activity competently

assesses the adequacy and
effectiveness of our organization’s
system of internal controls.

20. Our internal audit activity adequately

assesses the effectiveness of risk
management processes employed by
management to achieve our
organization’s objectives.

21. Our internal audit activity effectively

promotes appropriate ethics and values
broadly across our total organization.

22. Our internal audit activity adequately

assesses the effectiveness of
governance processes, including ethics-
related programs and activities.

QAIP Guide Page | 111

Internal Audit Process (use for appendix 2.4.4)

Strongly Strongly Don’t

Agree Agree Disagree Disagree Know

23. Our internal audit activity develops and

documents a plan for each engagement
based on a preliminary assessment of
risks relevant to the area being reviewed
(including the probability of fraud), and
our engagement objectives reflect the
result of this risk assessment.

24. Our internal audit activity uses

computer-assisted audit techniques,
including data mining, to facilitate data
collection and analysis during completion
of our engagements.

25. I receive appropriate, timely, and

constructive feedback regarding my
performance in completing
engagements, enabling me to continue
developing my knowledge, skills, and
competencies.

26. Our internal audit activity management

and staff exhibit proficient project
management and organizational skills to
assure the timely completion of our audit
engagements.

27. Our internal audit activity management

and staff demonstrate effective conflict
resolution and negotiating skills.

QAIP Guide Page | 112

28. What improvements, if any, would
you like to see implemented to
enhance the current performance
review and feedback process in
your internal audit activity?

29. What improvements, if any, would

you like to see implemented to
enhance current discussions you
have with your management
regarding your personal career
development opportunities?

30. What are three things you like most

about your current job?

31. What are three things you would

change to improve the overall
performance of your internal audit
activity?

32. Additional comments:

QAIP Guide Page | 113

Appendix 2.3 Interview Guides

Template 2.3.1 Chief Audit Executive Interview Guide

Interview Guide: Chief Audit Executive (CAE)

Organization Name:

Person Interviewed:

Position/Title:

Interviewer:

Date/Time:

Location:

Record Keeper:

Additional Comments:

Internal Audit Governance (use for appendix 2.4.1)

1. Comment on the internal audit charter and the audit practice environment. Be sure
to review the Internal Audit Governance Planning Guide, which also asks
questions about the internal audit charter, and tailor your questions based on
whether the CAE or a subordinate completed it.

a. Has the charter been kept current and relevant? Did the Board approve it?

QAIP Guide Page | 114

b. Does the charter establish adequate roles, authority, and scope of work of the
internal audit activity? If not, please define what areas internal auditors are not
allowed to review.

c. Is the charter easily accessible (electronically or by hard copy) to management

and staff in the organization?

d. Do work environment, culture, and empowerment within the internal audit

activity promote a customer orientation by providing frequent contact, quality
work, and a partnering relationship?

e. Is the internal audit activity free from management decision-making functions

and operational responsibilities?

2. Comment on the independence, structure, and scope of work of the internal audit
activity.

a. Does the nature and level of the internal audit activity’s reporting lines to senior

QAIP Guide Page | 115

management and the Board ensure its independence? Are you satisfied with
your independence and your staff’s independence?

b. How is the Board involved in the appointment, replacement, dismissal, and

compensation of the CAE?

c. Does the organizational structure of the internal audit activity promote

achievement of its mission and goals?

d. Do you have adequate budgetary resources to enable you (as the CAE) to
provide adequate audit coverage of the risk and exposure of the activities and
special projects as outlined in the annual audit plan?

e. Is the annual audit plan sufficient to cover the organization’s major risks?

f. Are you aware of any impediment to independence (actual or attempted) by

management?

QAIP Guide Page | 116

g. Has there ever been an instance when non-conformance with The IIA’s
Definition of Internal Auditing, Code of Ethics, or Standards impacted the
overall scope or operation of the internal audit activity? If so, did you disclose
the non-conformance and its impact to senior management and the Board?
How did you do this?

3. Describe the Board/Audit Committee’s oversight of the internal audit activity.

a. Are you satisfied with the support (availability of committee members,

resources, and follow-up) that you receive from the Board?

b. Is the Board’s input sought during the annual planning and risk assessment of
the internal audit activity?

c. Does the Board approve the annual audit plan?

d. Does the Board approve the hiring and/or the termination of the CAE?

QAIP Guide Page | 117

e. Describe the method and frequency of your meetings with, and reporting to,
the Board.

f. Describe the method and the frequency of your reports to the Board.

g. Do you meet privately with the Board or the Audit Committee chair? If so, how
frequently?

4. Comment on the internal audit activity’s quality assurance and improvement

program (QAIP), including ongoing monitoring mechanisms (e.g., engagement,
supervision, benchmarking, and measurement criteria) and internal and external
quality assessments.

a. What are the significant quality/process improvement actions currently

underway or planned for the near term in the following areas:

i. Customer relations (e.g., partnering, self-assessment, and consulting on

management processes).

QAIP Guide Page | 118

ii. Reducing audit cycle time (e.g., early and frequent involvement in audit
planning and audit results, reduction of reporting and follow-up intervals,
and streamlining of audit procedures).

iii. Empowerment of staff and customers (e.g., self-review and accountability

and team auditing).

iv. Benchmarking and comparison with leading practices.

v. Other areas (adoption of successful practices).

b. How do you monitor the effectiveness of the QAIP?

5. Describe the frequency and nature of your interactions with the senior executive to
whom you report.

a. To whom do you report administratively?

QAIP Guide Page | 119

b. How often do you meet with the senior executive?

c. Describe the methods of your meetings with, and reporting to, the senior
executive.

d. Do you seek the senior executive’s input during the internal audit activity’s
annual risk assessment and planning?

e. Is the annual audit plan discussed with the senior executives before the Board
approves the plan?

f. Do you attend strategic planning meetings or other senior management

meetings? What is your role in those meetings?

QAIP Guide Page | 120

Internal Audit Staff (use for appendix 2.4.2)

6. Comment on the capabilities and professionalism of the internal audit activity staff.

a. Does the internal audit activity foster an identifiable culture of professionalism

and continuous improvement?

b. Are you satisfied with the staff’s understanding of the internal audit activity’s
core values, mission, and goals and objectives?

c. Does the internal audit activity staff have a reasonable understanding of

corporate governance, enterprise risk, and opportunities for service beyond
traditional audit activities?

d. Do staff members have the necessary skills to audit operational, financial,

performance, and IT areas of the organization? Do they have business
acumen? Do they have the skills to identify indicators of fraud?

e. Are the staff’s views sought and considered for management and audit
policy/planning deliberations? How is this accomplished?

QAIP Guide Page | 121

f. Are competency models (position descriptions), performance standards, or
other means used to define the expectations and accountability of the staff?

g. How often are staff performance appraisals conducted?

h. How many staff members have professional certifications? What support is

given for obtaining professional certifications?

i. Do the auditors comply with The IIA’s Code of Ethics and the Standards?

j. Do management and the Board give you the ability to employ enough audit
staff to carry out the annual audit plan? Do you have the different levels of
audit experience necessary within your staff for the audit plan?

QAIP Guide Page | 122

k. Do you perform a collective staff training needs analysis? Do you obtain
training based on these needs?

l. Are you able to engage outside expertise when the staff lacks specialized
knowledge or skills for an engagement? Have you done so? Have you
declined an engagement because your staff lacked the needed expertise?

m. Has job rotation within the organization (in and out of the internal audit activity)
been considered?

QAIP Guide Page | 123

Internal Audit Management (use for appendix 2.4.3)

7. Comment on the organization’s overall governance processes and the internal

audit activity’s role in governance.

a. What are the key governance activities within the organization and how
effective are they?

b. Do you feel that you have a “seat at the table” in discussions of organizational
strategy?

c. In what other ways does the internal audit activity help improve the
organization’s governance processes?

d. Does the internal audit activity evaluate specific governance processes? If so,
which ones? Does it evaluate the overall governance process? If so, how?

e. Does the internal audit activity evaluate the organization’s ethics-related

objectives, programs, and activities?

QAIP Guide Page | 124

8. Describe how risks are identified, measured, and managed in the organization.

a. What are the most important risks and opportunities?

b. Who is the most senior executive responsible for overall risk management?

c. How is risk management “rolled up” so that the CEO and the Board can
evaluate and oversee the “big picture”?

d. How does the internal audit activity assist management in the identification and
management of significant risks?

e. Have you ever felt that management was accepting a level of risk that was
unacceptable to the organization as a whole? If so, did you report it to the
Board? What was the response? (Also D1)

9. Describe how the internal audit activity evaluates the risk management process.

QAIP Guide Page | 125

a. Does the internal audit activity evaluate the overall risk management process if
an integrated process exists?

b. Does the internal audit activity evaluate the risk management process within
the areas being audited?

10. Comment on other assurance functions (e.g., compliance, risk management, or

special investigations) and on the external audit firm relative to the internal audit
activity.

a. Indicate the roles of other assurance functions in the organization.

b. How do you ensure adequate coordination with the assurance functions and
prevent overlapping work while providing sufficient coverage?

c. Does the internal audit activity follow up or assist in implementation of the

recommendations of the other assurance functions?

QAIP Guide Page | 126

d. Are reporting processes and terminology consistent enough among these
functions to facilitate comprehension by executives and the Board?

e. Is there adequate coordination between the internal audit activity and the
external auditor (and regulators) to minimize duplication or redundancy?

f. How often do you meet with the external auditor?

g. Are you satisfied with the extent to which the external auditor relies on your
work?

11. Comment on the credibility and effectiveness of the internal audit activity.

a. Are you considered a key member of the management team?

b. How do you ensure that the internal auditors have the knowledge and skills to
perform their responsibilities?

QAIP Guide Page | 127

c. How do you obtain management and the Board’s feedback about the
effectiveness of the internal audit activity?

d. Do you believe that the internal audit activity really adds value to the
organization? If so, how does the internal audit activity add value?

12. Comment on the internal audit activity’s risk assessment and audit planning.

a. How is the audit universe structured (e.g., by organizational unit, business

process, or risk category)? Does the organization have its own risk
framework? If so, how are the two coordinated?

b. Were the organization’s strategic business plan and technology plan used in
the audit planning process?

c. Was input sought from key stakeholders (Board, senior management, and the
external auditor) during the internal audit activity’s annual risk assessment and
planning? Is similar input sought more frequently? If so, how?

QAIP Guide Page | 128

d. How is the audit plan updated for organizational changes that occur between
annual planning periods? Does the internal audit activity have enough flexibility
to respond to changes in the organization’s risk profile?

e. Is sufficient attention given to the internal audit activity’s approach to auditing

IT?

f. Are funding, staff mix and skills, technology, and other resources sufficient to
fulfill the plan? Does this include funding to co-source with external providers
for technical expertise when needed?

Internal Audit Process (use for appendix 2.4.4)

13. How satisfied are you with the internal audit activity’s process for assurance
engagements?

a. Are all aspects of the audit process fully and clearly explained in the audit
manual?

QAIP Guide Page | 129

b. Have you found any significant deficiencies in the planning or performance of
audits that should have been corrected before your review of the work? If so,
how did you address them?

14. How satisfied are you with the internal audit activity’s processes, if any, for
consulting engagements?

a. Is there an up-to-date procedure that sets forth the guidelines for consulting
engagements?

b. Are appropriate audit plans established for each engagement, including scope,
objectives, timing, and resource allocations?

c. Has significant governance, risk management, or control issues ever been

identified during consulting engagements? If so, were they communicated to
senior management and the Board?

15. How satisfied are you with the internal audit activity’s processes, if any, for
overseeing the planning and performing of co-sourced engagements?

a. Are co-sourced engagements performed in accordance with established

methodologies and working practices?

QAIP Guide Page | 130

b. Are the co-sourcing vendor’s workpapers made available to the internal audit
activity?

c. How are the co-sourced engagements supervised? Do you think that the level
of supervision is adequate?

16. Do you issue an overall opinion (i.e., on governance, risk management, and/or
control for the organization as a whole)? If yes, how did you arrive at your opinion
(e.g., plan and aggregate evidence needed to support the opinion; take into
account the expectations of senior management, the Board, other stakeholders,
etc.)?

QAIP Guide Page | 131

General Comments

Add additional observations or comments about the internal audit activity or other
matters discussed in the interview.

QAIP Guide Page | 132

Template 2.3.2 Board and Senior Management Interview Guide

Interview Guide: Board Members and Senior and Operating Management

Organization Name:

Person Interviewed:

Position/Title:

Interviewer:

Date/Time:

Location:

Record Keeper:

Additional Comments:

Internal Audit Governance (use for appendix 2.4.1

1. Comment generally on the independence, structure, and scope of work of the

internal audit activity.

a. Is the internal audit charter adequate, with sufficient authority to enable the
activity to perform effectively? Why or why not?

QAIP Guide Page | 133

b. Does the nature and level of the internal audit activity’s reporting lines to senior
management and the Board ensure its independence?

c. Is the internal audit activity’s scope of work—including critical areas of IT as

performed in practice—appropriate to the needs of management? What areas
should receive more coverage? (Also 2.3)

d. In your opinion, why has the internal audit activity not reviewed these areas?
What areas should receive less coverage? In your opinion, why has the
internal audit activity overemphasized these areas? (Also 2.4.3)

2. The following questions are for the Audit Committee only.

a. How much direct interaction is there between the CAE and the Audit
Committee? Does this include meeting with the CAE in private session (no
other member of management present)?

b. Are you satisfied with the information you receive from the CAE?

c. Are you aware of a protocol for the CAE to communicate:

QAIP Guide Page | 134

i. Any impairment to the internal audit activity’s independence or objectivity?

ii. Matters where the CAE believes management may have accepted a level
of risk that may be unacceptable to the organization?

Internal Audit Staff (use for appendix 2.4.2)

3. Based on your experience and observations, comment on the capabilities and

professionalism of the internal audit activity staff.

a. Are staff members objective and professional?

b. Do staff members have the right skills, including IT capabilities?

c. Do staff members have adequate knowledge in your area of responsibility,

including adequate knowledge and understanding of key technologies in use at
your organization?

QAIP Guide Page | 135

d. Do staff members work well with others and inspire trust?

e. Do you consider the internal audit activity a staffing resource for your area of
responsibility?

f. Would you consider sending high-potential staff for a rotational assignment in

the internal audit activity?

Internal Audit Management (use for appendix 2.4.3)

4. Comment on the credibility and effectiveness of the internal audit activity.

a. Is the CAE considered a key member of management?

b. Do you think the internal audit activity is performing a critical function, or is it

only useful but not critical?

QAIP Guide Page | 136

c. How would you rate the overall internal audit activity on a scale of 1 to 10?

5. Give your views on the management and operation of the internal audit activity for
your area of responsibility.

a. Do you have adequate input into the internal audit activity’s risk assessment
and planning? Please explain. How is that input obtained? How frequently is
that input obtained?

b. Is there sufficient emphasis on key technologies that support the business?

c. How have internal audit activity’s audits and consulting engagements assisted
in addressing your risks and other concerns?

d. Has the CAE identified and adequately considered the expectations of senior
management, the Board, and other stakeholders for opinions and other
conclusions?

QAIP Guide Page | 137

6. Comment on the internal audit activity’s contribution to the organization’s overall
governance processes.

a. Does the CAE have a “seat at the table” in discussions of organizational

strategy, including discussions regarding how potential IT investments are
aligned with organizational strategy?

b. Does the internal audit activity help improve the organization’s governance
processes in other ways? Please explain.

c. Does the internal audit activity evaluate specific governance processes,

including IT governance? If so, which ones? How effective are the
evaluations?

7. Describe a) your key business areas of responsibility and how risks in those areas
are identified, measured, and managed; b) how risks in the entire organization are
identified, measured, and managed; and c) what role, if any, the internal audit
activity plays in these risk management processes.

a. What are the most important risks and opportunities in your area of
responsibility?

b. How do you decide to accept, mitigate, share, or avoid these risks?

QAIP Guide Page | 138

c. How is risk management in your area of responsibility aligned and integrated
with that for the organization as a whole?

d. Does the internal audit activity help you identify significant risks and improve
the organization’s risk management, control, and governance systems? Please
explain.

8. Comment on other oversight or monitoring functions (e.g., compliance, risk

management, process improvement, or special investigations) and the
independent audit firm in relation to the internal audit activity.

a. Is there adequate coordination to prevent overlapping work?

b. Are reporting processes and terminology consistent enough to facilitate

comprehension by executives and the Board?

QAIP Guide Page | 139

Internal Audit Process (use for appendix 2.4.4)

9. Express your opinion on the quality and value of audit and consulting projects in
your area of responsibility.

a. Are reports timely and reasonably balanced? Do they properly reflect the
existing conditions?

b. Do recommendations relate to important issues? Have you found them to be

valuable?

c. How are disagreements resolved?

d. Is the duration of audit engagements acceptable?

e. Does the internal audit activity do an acceptable job of monitoring audit report
issues and following up to ensure that issues are resolved?

QAIP Guide Page | 140

f. Does the internal audit activity provide you with appropriate implementation
assistance?

g. Have you requested the internal audit activity’s advisory assistance beyond
scheduled audits?

h. How were the results from the consulting engagement communicated to you?

i. Provide examples of a value-added service provided by the internal audit

activity to your area of responsibility.

General Comments

Add additional observations, comments, or suggestions for improvement of the

internal audit activity.

QAIP Guide Page | 141

Opportunities for Continuous Improvement Noted (with program reference):

Program Description

Successful Internal Audit Practices Noted (with program reference):

Program Description

QAIP Guide Page | 142

Template 2.3.3 Internal Audit Staff Interview Guide

Interview Guide: Internal Audit Staff

Organization Name:

Person Interviewed:

Position/Title:

Interviewer:

Date/Time:

Location:

Record Keeper:

Additional Comments:

Internal Audit Governance (use for appendix 2.4.1)

1. Comment on the independence, structure, and scope of work of the internal audit
activity.

a. What is the internal audit activity’s primary mission? What actions are taken to fulfill
that mission?

QAIP Guide Page | 143

b. Does the nature and level of the internal audit activity’s reporting line to senior
management and the Board ensure its independence? Are you aware of any
impediments to independence?

c. Have you experienced undue influence that affected reporting the facts as you
discovered them?

d. Is there an aspect/area of the organization that is “off limits” to the internal audit
activity? If so, what area and why?

Internal Audit Staff (use for appendix 2.4.2)

2. Comment on the reputation and professionalism of the internal audit activity’s staff.

a. What is your opinion of the abilities of the CAE and the internal audit activity staff?
Professionalism? Communication skills? Interpersonal skills?

b. Do you feel that customers think you have the right knowledge and skills, including
IT capabilities?

QAIP Guide Page | 144

c. Is the internal audit activity considered a good area for management development?
Is the internal audit activity considered a desirable and challenging area in which to
work?

d. Is the internal audit activity considered a good area for management development?

e. Do you believe that being on the internal audit activity staff will provide opportunities
for you to move to positions elsewhere in the organization?

f. Do internal audit activity staff members have a good understanding of the

organization’s key business processes? Do they have business acumen?

Internal Audit Management (use for appendix 2.4.3)

3. Comment on the operation of the internal audit activity from your perspective and
understanding of the needs of senior management.

QAIP Guide Page | 145

a. Do you believe the internal audit activity’s priorities align with the organization’s
goals? Please explain.

b. Is the CAE kept adequately informed through attendance at senior management

meetings and through management communications? Does the CAE share this
information, when appropriate, with the staff?

c. Does the internal audit activity help identify significant risks and improve the
organization’s control and governance systems? Please explain.

d. Who within the internal audit activity has input into risk assessment and audit
planning? How is that input obtained? How frequently is that input obtained? Is there
sufficient emphasis on IT issues?

4. Comment on how the internal audit activity adds value to senior management.

a. Does the internal audit activity add value to the organization? If so, how?

QAIP Guide Page | 146

b. Does the internal audit activity assist management beyond scheduled audits in
resolving business problems or improving business processes? If not, why not?

c. Does the internal audit activity perform consulting engagements as well as

assurance audits?

d. Does the internal audit activity obtain management’s feedback about its
effectiveness? Does it use this information to improve?

5. Give your views on how you are managed and how your skills are used and developed.

a. How is your work supervised? Do you think the supervision is adequate?

b. What is the performance appraisal process for internal auditors?

c. Do you have access to other internal audit activity reports? If not, do you receive
periodic briefings of audit results in meetings?

QAIP Guide Page | 147

d. Do you experience empowerment (including using initiative in the field) and self-
accountability at work?

e. Does internal audit management endorse continuous improvement?

6. Discuss staff management policies and processes.

a. Are they clear, comprehensive, and well understood? How does the CAE and other
internal audit management:

i. Teach enterprise risk and governance concepts?

ii. Promote knowledge of and conformity to the Standards?

QAIP Guide Page | 148

iii. Promote and facilitate the use of technology?

iv. Encourage and monitor training from internal and external sources?

v. Encourage staff participation in professional organizations (e.g., local IIA

chapter meetings and committees or audit-related and industry professional
organizations)?

vi. Encourage certification?

vii. Use staff members as liaisons for customers and involve them in the
engagement planning process?

viii. Evaluate and reward performance?

QAIP Guide Page | 149

Internal Audit Process (use for appendix 2.4.4

7. Comment further on ways to improve the internal audit activity’s efficiency and
effectiveness.

a. What is your view about how effectively the internal audit activity aligns with the
organization’s strategic objectives and enterprise risk management?

b. Is audit cycle time efficient? Are resources planned and used efficiently for individual
audit engagements?

c. Is engagement closing effective? Is report issuance timely?

d. Is there an effective system of follow-up on implementation of recommendations?

e. What things do you think the internal audit activity does well?

QAIP Guide Page | 150

f. What would you like to change about the internal audit activity?

General Comments

Add additional observations or comments about the internal audit activity or other
matters discussed in the interview.

QAIP Guide Page | 151

Template 2.3.4 External Auditors and Other Assurance Provider Interview Guide

Interview Guide: External Auditors and Other Assurance Providers

Organization Name:

Person Interviewed:

Position/Title:

Interviewer:

Date/Time:

Location:

Record Keeper:

Additional Comments:

Internal Audit Governance (use for appendix 2.4.1)

1. Comment on the independence, structure, and scope of work of the internal

audit activity.

a. Is the internal audit charter adequate, with sufficient authority to enable the
activity to perform effectively? Why or why not?

b. Does the nature and level of the internal audit activity’s reporting lines to
senior management and the Board ensure its independence?

QAIP Guide Page | 152

c. Is the internal audit activity’s scope of work—as performed in practice—
appropriate to the needs of management? What areas should receive more
or less coverage? (Also D-3)

Internal Audit Staff (use for appendix 2.4.2)

2. Based on your experience and observations, comment on the capabilities and

professionalism of the internal audit activity staff.

a. Are staff members objective and professional?

b. Do staff members have the right skills, including IT capabilities?

c. Do staff members work well with others and inspire trust?

QAIP Guide Page | 153

Internal Audit Management (use for appendix 2.4.3)

3. Comment on the credibility and effectiveness of the internal audit activity.

a. Is the CAE considered a key member of management?

b. Do you think the internal audit activity is performing a critical function, or is

it only useful but not critical?

c. How would you rate the overall internal audit activity on a scale of 1 to 10?
How does it compare with other internal audit activities with whom you
have worked?

4. Give your views on the management and operation of the internal audit
activity.

a. Do you have adequate input into internal audit activity risk assessment and
planning? Please explain. How is that input obtained? How frequently is
that input obtained?

b. How are disagreements resolved?

QAIP Guide Page | 154

c. Is there sufficient emphasis on IT issues?

5. Comment on the internal audit activity’s contribution to the organization’s

overall governance processes.

a. Does the CAE have a “seat at the table” in discussions of organizational

strategy?

b. Does the internal audit activity help improve the organization’s governance
processes in other ways? Please explain.

c. Does the internal audit activity evaluate specific governance processes,

including IT? If so, which ones? How effective are the evaluations?

6. Comment on coordination of the internal audit activity with other assurance

providers (e.g., compliance, risk management, process improvement, or
special investigations).

a. Is there adequate coordination to prevent overlapping work?

QAIP Guide Page | 155

b. Are reporting processes and terminology consistent enough to facilitate
comprehension by executives and the Board?

c. Does the internal audit activity place reliance on the work of any providers
of assurance for the organization? What basis is used for the reliance?

Internal Audit Process (use for appendix 2.4.4)

7. Express your opinion of the quality and value of audit and consulting projects.

a. Are reports timely and reasonably balanced? Do they properly reflect the
existing conditions?

b. Do recommendations relate to important issues? Have you found them to

be valuable?

QAIP Guide Page | 156

c. Does the internal audit activity do an acceptable job of monitoring audit
report issues and following up to ensure that the issues are resolved?

General Comments

Add additional observations or comments about the internal audit activity or other
matters discussed in the interview.

QAIP Guide Page | 157

Appendix 2.4 Assessment/Rating Tools

Template 2.4.1 Internal Audit Governance Assessment/Rating Tool

Organization
Name:

Date Prepared:

Prepared By:

Reviewed By:

Instructions for Completion

1. Complete this form for a full external assessment and a self-assessment with
independent external validation. This form may be completed as a
component of a periodic internal assessment.

2. Objective #1 – Please complete each program step as described for each

major series of Standards (e.g., 1000). Document the results of the program
steps in the spaces provided. A different color font may be used to document
results. “WP” references should be to specific documents provided in
appendix 2.1, “Planning Tools and Checklists,” appendix 2.2, “Survey
Tools,” appendix 2.3, “Interview Guides,” or benchmark data. Specifically
describe areas of non-conformance in the space provided.

3. Objective #2 – For each major series of Standards, list and comment on any
successful internal audit practice demonstrated by the internal audit activity,
or any opportunity for continuous improvement identified. This information is
derived from information in the associated planning guide, survey guide,
interview guide, benchmark data, and analysis performed for this program.
The background and experience of the external assessor and assessment
team should be a valuable resource when identifying successful internal
audit practices.

QAIP Guide Page | 158

Planning and Preparation

Initial/Date

1. Review implementation guidance specific to the Standards or Code

of Ethics evaluated in this program segment.

2. Review the information included in the planning guide for this

program segment.

3. Confirm receipt of documents included on the Document Request

Checklist.

4. Review survey results for questions denoted for this program

segment.

5. Confirm that the list of planned interviews will adequately support the
completion of this program segment. Consider additional relevant
interview questions to support this program segment.

6. Obtain and review any benchmarking information, such as the Global

Audit Information Network (GAIN), related to internal audit
governance (e.g., CAE reporting relationships, Audit Committee
charters, and responsibilities). Identify any potential opportunities for
improvement.

7. Review appendix 2.41., “Internal Audit Governance” as it relates to

internal audit governance. Evaluate successful internal audit
practices noted by the CAE. Identify additional successful internal
audit practices in evidence within the internal audit activity, or those
processes or practices that are particularly effective or noteworthy.
Consider the relative size of the internal audit activity when making
this determination.

8. Review the internal audit activity strategic plan and vision and the
supporting strengths, weaknesses, opportunities, and threats
analysis to identify potential opportunities for continuous
improvement or successful internal audit practices related to internal
audit governance.

QAIP Guide Page | 159

Standard 1000 – Purpose, Authority, and Responsibility

Objective #1: Determine the internal audit activity’s level of conformance with the intent
of Standard 1000.

Initial/ WP
Date References

1. Review the internal audit charter:

a. Provide the date when the charter was last updated and
approved by the Board.

b. Does the charter define the purpose, authority, and

responsibility of the internal audit activity?

c. Is the charter aligned with the Mission of Internal Audit

and the mandatory elements of the IPPF?

d. Does the charter provide for unrestricted access to all

documents, people, and assets to perform
engagements?

e. How are the functional and administrative reporting

relationships of the CAE established in the charter?

f. Is the nature of the functional reporting relationship

specifically described in the charter? If so, what are the
examples that demonstrate functional reporting?

g. Is the nature of assurance and consulting work defined in

the charter?

h. Is there a specific reference to the mandatory elements

of the IPPF in the charter? Are they referred to as
mandatory elements?

QAIP Guide Page | 160

2. Compare the internal audit charter with the Audit Committee
charter to determine if the responsibilities, reporting lines,
etc., as stated in the Audit Committee charter, correspond.

3. Review the survey and interview results for this program

segment. Determine if the results will have any impact on
your results and conclusion.

4. Check with the quality assessment team members assigned

to the other program segments and determine whether any
governance issues related to Standard 1000 were noted.

Standard GC PC DNC

Key Conformance Criteria: Standard 1000 –

Purpose, Authority, and Responsibility

A. The internal audit charter is a formal 1000

document that defines the internal audit
activity’s purpose, authority, and
responsibility.

B. The internal audit charter is consistent 1000

with the Mission of Internal Audit and the
mandatory elements of the IPPF (Core
Principles for the Professional Practice of
Internal Auditing, Definition of Internal
Auditing, Code of Ethics, and the
Standards).

C. The internal audit charter is periodically 1000

reviewed by the CAE and presented to
senior management and the Board for
approval. Final approval of the internal
audit charter resides with the Board.

D. The internal audit charter establishes the 1000

position of the internal audit activity within
the organization from a functional and
administrative perspective.

QAIP Guide Page | 161

1000
E. The internal audit charter specifically
describes the nature of the functional
reporting relationship of the CAE to the
Board in a manner consistent with current
practice.

F. The internal audit charter authorizes 1000

access to records, personnel, and
physical properties relevant to the
performance of engagements.

G. The internal audit charter defines the 1000

scope of internal audit activities.

1000.A1
H. The nature of assurance services
provided to the organization is defined in
the internal audit charter.

1000.A1
I. If assurance services are provided outside
the organization, the nature of these
assurances is defined in the internal audit
charter.

1000.C1
J. The nature of consulting services provided
is defined in the internal audit charter.

Key Conformance Criteria: Standard 1010 –

Recognizing Mandatory Guidance in the
Internal Audit Charter

1010
A. The mandatory nature of the Core
Principles for the Professional Practice of
Internal Auditing, Definition of Internal
Auditing, Code of Ethics, and the
Standards is recognized in the internal
audit charter.

1010
B. The CAE discusses the Mission of Internal
Audit and the mandatory elements of the
IPPF with senior management and the
Board.

QAIP Guide Page | 162

Conformance Gaps Noted (if any): Standard

Objective #2: Assess the efficiency and effectiveness of the internal audit activity, identify
opportunities for continuous improvement, and offer ideas to the CAE and internal audit
activity staff for improving their performance and increasing their ability to add value.

Initial/ WP
Date References

1. Review all information provided in appendices A-0 through

A-4 and identify opportunities for continuous improvement
and successful internal audit practices pertinent to Standard
1000 – Purpose, Authority, and Responsibility.

Opportunities for Continuous Improvement Noted (if any): Standard

Successful Internal Audit Practices Noted (if any): Standard

Standard 1300 – Quality Assurance and Improvement Program

QAIP Guide Page | 163

Objective #1: Determine the internal audit activity’s level of conformance with the intent of
Standard 1300.

Initial WP
Date References

1. Review the internal audit policy/procedure (QAIP) (appendix

A-0, document #19) and determine whether it describes all
required elements (scope, objectives, internal and external
assessments, and communication of results). Is the QAIP
documented in the internal audit manual? How frequently is
it reviewed and updated? How does the CAE encourage
Board oversight in the QAIP?

2. Determine if the defined scope and objectives of the QAIP

are sufficient to enable an evaluation of the internal audit
activity’s conformance with the Standards, and whether
internal auditors apply the Code of Ethics. Is there an
additional focus on identifying opportunities for continuous
improvement?

3. Determine if ongoing monitoring of performance supports

quality on an audit-by-audit basis. Does the internal audit
activity use performance metrics to support their ongoing
monitoring activities? What are these performance metrics
and how are they used to manage quality in the internal
audit activity?

4. Review documents supporting ongoing monitoring of

performance (appendix A-0, documents #20 and #22) and
determine whether they are consistent with the process and
requirements documented in the QAIP.

5. Determine if the process used by the internal audit activity

for periodic internal assessment provides a holistic view of
conformance with the Standards and whether internal
auditors apply the Code of Ethics. How often is this process
performed?

6. Review documents supporting periodic internal assessment

(appendix A-0, documents #21 and #23) and determine
whether they are consistent with the process and

QAIP Guide Page | 164

requirements documented in the QAIP.

7. Determine if the process used by the internal audit activity

for external quality assessment is performed in a manner
consistent with the process described in the QAIP. How
frequently is external assessment performed? What is the
form of external assessment (full scope or self-assessment
with independent external validation)? To what extent is the
Board involved in oversight of the external assessment
process?

8. Determine if the external assessor or assessment team was

qualified in internal auditing and external quality assessment.
Were potential impairments to independence and objectivity
disclosed and discussed with the Board during the external
assessor selection process?

9. Review documents supporting external quality assessment

(appendix A-0, document #24) and determine whether they
are consistent with the process and requirements
documented in the QAIP. When was the last external
assessment report issued?

10. Determine if the communication requirements related to the

QAIP have been modified to include the required disclosures
of 1) scope and frequency of both internal and external
assessments; 2) the qualifications and independence of the
assessor(s) or assessment team, including potential conflicts
of interest; 3) conclusions of assessors; and 4) corrective
action plans.

11. Review Board meeting agendas and minutes of meetings to

determine if communication of QAIP results (ongoing
monitoring of performance, periodic internal assessment, and
external assessment) were included. Review periodic reports
of the internal audit activity to determine if communication took
place and met the requirements of the Standards and the
QAIP.

12. Determine if the internal audit activity monitors and reports

on progress made to address gaps to conformance or
opportunities for continuous improvement identified.

13. Determine whether the internal audit activity uses the

QAIP Guide Page | 165

statement “Conforms with the International Standards for the
Professional Practice of Internal Auditing” on reports or any
other correspondence of the internal audit activity. This is
typically found in the internal audit charter, periodic reports to
senior management and the Board, and engagement reports.
Determine whether the results of the QAIP, including external
assessment, support its use.

14. Determine if any disclosures of non-conformance were

required. If there were issues, determine that the impact of
non-conformance was communicated to senior management
and the Board.

15. Review the survey and interview results for this program
segment. Determine if the results will have any impact on your
results and conclusion.

16. Check with the quality assessment team members assigned

to the other program segments and determine whether any
governance issues related to Standard 1300 were noted.
Standard GC PC DNC

Key Conformance Criteria:

Standard 1300 – Quality Assurance
and Improvement Program

A. The CAE has developed and maintains a 1300

QAIP that covers all aspects of the internal
audit activity.

1300
B. The QAIP is designed to enable the
evaluation of the internal audit activity’s
conformance with the Standards.

1300
C. The QAIP is designed to enable the
evaluation of whether internal auditors
apply the Code of Ethics.

D. The QAIP assesses the efficiency and 1300

effectiveness of the internal audit activity
and identifies opportunities for
improvement.

QAIP Guide Page | 166

1300
E. The CAE encourages Board oversight in
the QAIP.

Key Conformance Criteria:

Standard 1310 – Requirements of the Quality
Assurance and Improvement Program

A. The QAIP has both internal and external 1310

assessment components.

Key Conformance Criteria:

Standard 1311 – Internal Assessments

A. There is evidence of ongoing monitoring 1311

of the performance of the internal audit
activity.

B. Ongoing monitoring is incorporated into 1311

the routine policies and practices of the
internal audit activity and uses processes,
tools, and information considered
necessary to evaluate conformance with
the Code of Ethics and the Standards.

1311
C. There is evidence of periodic assessments
conducted to evaluate conformance with
the Code of Ethics and the Standards.

D. Periodic assessments are conducted by 1311

individuals who have an understanding of
all of the elements of the IPPF.

Key Conformance Criteria:

Standard 1312 – External Assessments

1312
A. There is evidence that an external
assessment has been conducted within
the past five years.

1312
B. The external assessment was conducted
by a qualified and independent assessor

QAIP Guide Page | 167

or assessment team from outside the
organization.

1312
C. The external assessor or assessment
team concluded as to conformance with
the Code of Ethics and the Standards.

1312
D. The external assessor or assessment
team demonstrated competence in the
professional practice of internal auditing
and the external assessment process.

1312
E. There is evidence that the CAE has
discussed with the Board the form and
frequency of the external assessment.

1312
F. There is evidence that the CAE has
discussed with the Board the qualifications
and independence of the external
assessor or assessment team, including
any potential conflicts of interest.

1312
G. The independent assessor or assessment
team does not have actual or perceived
conflicts of interest of the organization to
which the internal audit activity belongs.
They are not a part of or under the control
of the organization.

H. The CAE encourages Board oversight in 1312

the external assessment to reduce
perceived or potential conflict of interest.

Key Conformance Criteria:

Standard 1320 – Reporting on the
Quality Assurance and Improvement Program

A. There is evidence that the CAE has 1320

communicated the results of the QAIP to
senior management and the Board.
Disclosure includes the scope and
frequency of both the internal and

QAIP Guide Page | 168

external assessments.

1320
B. There is evidence that the CAE has
communicated the results of the QAIP to
senior management and the Board.
Disclosure includes the qualifications and
independence of the assessor(s) or
assessment team, including potential
conflicts of interest.

1320
C. There is evidence that the CAE has
communicated the results of the QAIP to
senior management and the Board.
Disclosure includes conclusions of
assessors.

1320
D. There is evidence that the CAE has
communicated the results of the QAIP to
senior management and the Board.
Disclosure includes corrective action plans.

1320
E. There is evidence that the CAE has
communicated the results of ongoing
monitoring annually to senior
management and the Board. Results
include the independent assessor’s or
assessment team’s evaluation with
respect to the degree of conformance.

F. There is evidence that the CAE has

communicated the results of external
assessments to senior management and
the Board upon completion. Results
include the independent assessor’s or
assessment team’s evaluation with
respect to the degree of conformance.

Key Conformance Criteria:

Standard 1321 – Use of “Conforms with the
International Standards for the Professional
Practice of Internal Auditing”

A. Indicating that the internal audit activity 1321

QAIP Guide Page | 169

conforms with the Standards is supported
by the results of the QAIP.

Key Conformance Criteria:

Standard 1322 – Disclosure of Non-
conformance

1322
A. There is evidence that when non-
conformance with the Definition of
Internal Auditing, the Code of Ethics, or
the Standards impacts the overall scope
or operation of the internal audit activity,
the CAE has disclosed the non-
conformance and the impact to senior
management and the Board.

Standard
Conformance Gaps Noted:

Objective #2: Assess the efficiency and effectiveness of the internal audit activity, identify
opportunities for continuous improvement, and offer ideas to the CAE and internal audit activity
staff for improving their performance and increasing their ability to add value.

Initial/ WP References
Date

1. Review all information provided in appendices A-0 through A-4

and identify opportunities for continuous improvement and
successful internal audit practices pertinent to Standard 1300
– Quality Assurance and Improvement Program.

Opportunities for Continuous Improvement Noted (if any): Standard

QAIP Guide Page | 170

Standard
Successful Internal Audit Practices Noted (if any):

QAIP Guide Page | 171

Template 2.4.2 Internal Audit Staff Assessment/Rating Tool

Organization
Name:

Date Prepared:

Prepared By:

Reviewed By:

Instructions for Completion

1. Complete this form for a full external assessment and a self-assessment with
independent external validation. This form may be completed as a component
of a periodic internal assessment.

2. Objective #1 – Please complete each program step as described for each

major series of Standards (e.g., 1000). Document the results of the program
steps in the spaces provided. A different color font may be used to document
results. “WP” references should be to specific documents provided in
appendix 2.1.1 “Background Information and Document Request Checklist,”
appendix 2.1, “Planning Tools and Checklists,” appendix 2.2, “Survey Tools,”
appendix 2.3, “Interview Guides,” or benchmark data. Specifically describe
areas of non-conformance in the space provided.

3. Objective #2 – For each major series of Standards, list and comment on any
successful internal audit practice demonstrated by the internal audit activity
or opportunity for continuous improvement identified. This information is
derived from information in the associated planning guides, survey guides,
interview guides, benchmark data, and analysis performed for this program.
The background and experience of the external assessor and assessment
team should be a valuable resource when identifying successful internal audit

QAIP Guide Page | 172

practices.
Planning and Preparation

Initial/Date

1. Review implementation guidance specific to the Standards evaluated in

this program segment.

2. Review information included in the planning guide for this program

segment.

3. Confirm receipt of documents included on the Background Information and

Document Request Checklist.

4. Review survey results for questions denoted for this program segment.

5. Confirm that the list of planned interviews will adequately support the
completion of this program segment. Consider additional relevant
interview questions to support this program segment.

6. Obtain and review any benchmarking information, such as the Global

Audit Information Network (GAIN), related to internal audit governance
(e.g., CAE reporting relationships, Audit Committee charters, and
responsibilities). Identify any potential opportunities for improvement.

7. Review appendix A-2, “Internal Audit Staff,” as it relates to internal audit

staff. Evaluate successful internal audit practices noted by the CAE.
Identify successful internal audit practices in evidence within the internal
audit activity, or processes or practices that are particularly effective or
noteworthy. Consider the relative size of the internal audit activity when
making this determination.

8. Review the internal audit specific activity plan and vision (appendix 2.1.1,
document #8) and the supporting strengths, weaknesses, opportunities,
and threats analysis to identify potential opportunities for continuous
improvement or successful internal audit practices related to internal audit
governance.

QAIP Guide Page | 173

Standard 1200 – Proficiency and Due Professional Care

Objective #1: Determine the internal audit activity’s level of conformance with and intent of
Standard 1200.

Initial/ WP
Date Referfences

1. Review the internal audit activity’s organization chart and

staff profiles. Evaluate the internal audit activity’s assignment
of responsibilities and overall level of core competencies.

2. Review the internal audit activity management and staff job

descriptions. Review any competency models or frameworks
used to describe skills, competencies, and experiences.

a. Determine whether the job descriptions (or the

competency model) provide suitable criteria of education
and experience for filling internal audit positions.

b. Determine whether the current auditors meet the

specified criteria of education and experience.

c. Determine whether the level and type of professional

certification is appropriate to demonstrate proficiency.

3. Review the planning guide information and the internal audit

activity policies or procedures related to specialized skills
required by the internal audit activity and the staffing
analysis (support for current and prior year audit plans).

a. Determine whether the current internal audit activity staff

possesses adequate IT audit skills.

b. Determine whether any other specialized skills or

expertise (i.e., fraud detection skills, consulting skills,
etc.) are required to meet the unique needs of the
organization.

QAIP Guide Page | 174

c. If specialized skills are needed, determine whether the
current staff possesses these skills.

d. Evaluate whether the type of assistance provided, and

the qualifications of any third-party providers used during
the review period were appropriate.

4. Review the planning guide information and any internal audit

activity policies or procedures related to due diligence
requirements for internal audit activity management and staff.
Determine if internal audit activity management and staff are
aware of their due professional care requirements.

5. Determine the extent to which the internal audit activity

considers the use of technology-based audit and other data
analysis techniques. Evaluate whether these techniques are
used consistently and are appropriately documented.

6. Determine if due professional care is exercised for both

assurance and consulting-related activities.

7. Review planning guide information and internal audit activity

policies or procedures related to continuing professional
development.

a. Determine whether the required number of hours for each

internal auditor is adequate to meet certification
requirements.

b. Evaluate whether the internal audit activity budget is

sufficient to support continuing professional development
activities.

c. Determine whether professional certification for internal

audit management and staff (e.g., CIA, CPA, CISA,
CRMA, CMA, CISSP, CBA, etc.) is encouraged and
supported, including review courses and examinations.

8. Review internal audit activity training records (appendix

2.1.1, document #17).

QAIP Guide Page | 175

a. Assess the training received and determine whether it
represented the necessary courses to maintain
proficiency, especially with regard to specialized skills
(e.g., IT, fraud, and other core internal audit
competencies).

b. Determine whether supervisors have received training in

management skills.

c. Determine whether individuals with certifications receive

the appropriate amount of training.

d. Determine whether there is an appropriate level of

support for and interaction with professional organizations
(e.g., IIA, ISACA, etc.).

9. Review planning guide information and internal audit policies

or procedures related to the performance appraisal process.

a. Evaluate whether the performance appraisal process is

linked to continuing professional development. Review
performance appraisal templates. Are development plans
a required element?

b. Determine the frequency of performance appraisals (e.g.,

annual, after each audit, etc.).

c. Assess the quality of the performance appraisal process.

Is career counseling an element of the process?

10. Review the survey and interview results for this program
segment. Determine if the results will have any impact on
your results and conclusion.

11. Check with the quality assessment team members assigned

to the other program segments and determine whether any
staff issues related to Standard 1200 were noted.

Standard GC PC DNC

QAIP Guide Page | 176

Key Conformance Criteria:
Standard 1200 – Proficiency and
Due Professional Care

1200
A. Engagements are performed with
proficiency and due professional care.

Key Conformance Criteria:

Standard 1210 – Proficiency

1210
A. Internal auditors possess the
knowledge, skills, and other
competencies needed to perform their
individual responsibilities.

1210
B. The internal audit activity collectively
possesses or has obtained the
knowledge, skills, and other
competencies needed to perform its
responsibilities.

1210
C. Internal auditors are encouraged to
demonstrate their proficiency by
obtaining appropriate professional
certifications and qualifications, such as
the CIA designation and other
designations offered by The IIA and
other appropriate professional
organizations.

D. The CAE has obtained competent advice 1210.A1

and assistance when the internal audit
staff lacks the knowledge, skills, or other
competencies needed to perform all or
part of the engagement.

E. Internal auditors have sufficient 1210.A2

knowledge to evaluate the risk of fraud
and the manner in which it is managed
by the organization.

F. Internal auditors have sufficient 1210.A3

QAIP Guide Page | 177

knowledge of key IT risks and controls
and available technology-based audit
techniques to perform their assigned
work. Not all internal auditors are
expected to have IT auditing expertise.

1210.C1
G. The CAE has declined consulting
engagements or obtains competent
advice and assistance if the internal
auditors lack the knowledge, skills, or
other competencies needed to perform
all or part of the engagement.

Key Conformance Criteria:

Standard 1220 – Due Professional Care

1220
A. Internal auditors apply the care and skill
expected of a reasonably prudent and
competent internal auditor.

1220.A1
B. Internal auditors exercise due
professional care by considering the
extent of work needed to achieve the
engagement’s objectives.

1220.A1
C. Internal auditors exercise due
professional care by considering the
relative complexity, materiality, or
significance of matters to which
assurance procedures are applied.

1220.A1
D. Internal auditors exercise due
professional care by considering the
adequacy and effectiveness of
governance, risk management, and
control processes.

E. Internal auditors exercise due 1220.A1

professional care by considering the
probability of significant errors, fraud, or
non-compliance.

QAIP Guide Page | 178

1220.A1
F. Internal auditors exercise due
professional care by considering the
cost of assurance in relation to potential
benefits.

1220.A2
G. Internal auditors consider the use of
technology-based audit and other data
analysis techniques.

1220.A3
H. Internal auditors are alert to the
significant risks that might affect
objectives, operations, or resources.

1220.C1
I. Internal auditors exercise due
professional care during consulting
engagements by considering the needs
and expectations of clients, including
the nature, timing, and communication
of engagement results.

1220.C1
J. Internal auditors exercise due
professional care during consulting
engagements by considering the
relative complexity and extent of work
needed to achieve the engagement’s
objectives.

1220.C1
K. Internal auditors exercise due
professional care during consulting
engagements by considering the cost of
the consulting engagement in relation to
potential benefits.

Key Conformance Criteria:

Standard 1230 – Continuing
Professional Development

1230
A. Internal auditors enhance their
knowledge, skills, and other
competencies through continuing
professional development.

QAIP Guide Page | 179

Standard
Conformance Gaps Noted (if any):

Initial/ WP
Date References

1. Review all information provided in appendices A-0 through

A-4 and identify opportunities for continuous improvement
and successful internal audit practices pertinent to Standard
1200 – Proficiency and Due Professional Care.

Opportunities for Continuous Improvement Noted (if any): Standard

Standard
Successful Internal Audit Practices Noted (if any):

QAIP Guide Page | 180

Template 2.4.3 Internal Audit Management Assessment/Rating Tool

Organization
Name:

Date Prepared:

Prepared By:

Reviewed By:

Instructions for Completion

1. Complete this form for a full external assessment and a self-assessment with
independent external validation. This form may be completed as a component
of a periodic internal assessment.

2. Objective #1 – Please complete each program step as described for each

major series of Standards (e.g., 1000). Document the results of the program
steps in the spaces provided. A different color font may be used to document
results. “WP” references should be to specific documents provided in
appendix 2.1.1, “Background Information and Document Request Checklist,”
appendix 2.1.2, “Planning Guides,” appendix B, “Survey Guides,” appendix
C, “Interview Guides,” or benchmark data. Specifically describe areas of non-
conformance in the space provided.

3. Objective #2 – For each major series of Standards, list and comment on any
successful internal audit practice demonstrated by the internal audit activity,
or opportunity for continuous improvement identified. This information is
derived from information in the associated planning guides, survey guides,
interview guides, benchmark data, and analysis performed for this program.
The background and experience of the external assessor and assessment
team should be a valuable resource when identifying successful internal audit
practices.

QAIP Guide Page | 181

Planning and Preparation Initial/Date

1. Review implementation guidance specific to the Standards evaluated

in this program segment.

2. Review information included in the planning guide for this program

segment.

3. Confirm receipt of documents included on the Background

Information and Document Request Checklist.

4. Review survey results for questions denoted for this program

segment.

5. Confirm that the list of planned interviews will adequately support the
completion of this program segment. Consider additional interview
questions to support this program segment.

6. Obtain and review any benchmarking information, such as the Global

7. Review appendix A-3, “Internal Audit Management,” related to

internal audit management. Evaluate successful internal audit
practices noted by the CAE. Identify additional successful internal
audit practices in evidence within the internal audit activity, or those
processes or practices that are particularly effective or noteworthy.
Consider the relative size of the internal audit activity when making
this determination.

8. Review the internal audit strategic plan and vision (appendix A-0,
document #8) and the supporting strengths, weaknesses,
opportunities, and threats analysis to identify potential opportunities
for continuous improvement or successful internal audit practices
related to internal audit governance.

QAIP Guide Page | 182

Standard 2000 – Managing the Internal Audit Activity

Objective #1: Determine the internal audit activity’s level of conformance with the intent of
Standard 2000.

Initial/ WP
Date References

1. Review the internal audit activity strategic plan.

a. Evaluate the process used to develop and maintain the

internal audit strategic plan.

b. Determine whether the initiatives identified in the plan are

supported by a strengths, weaknesses, opportunities,
and threats analysis.

c. Determine whether the plan is aligned with the

organization’s strategic plan.

2. Review planning guide information and internal audit policies

or procedures related to the annual risk assessment and
audit planning process. Determine if the annual risk
assessment and audit planning processes are documented
in a manner to support consistency, quality, and
sustainability.

3. Review the internal audit activity audit universe.

a. Evaluate the completeness of the audit universe or scope

of auditable topics. If needed, refer to the applicable
IPPF guidance (e.g., GTAG 11: Developing an IT Audit
Plan or Implementation Guide 2010) for additional
information.

b. Evaluate the appropriateness of the size and number of

audit entities (e.g., too detailed or general, too many or
too few, inconsistencies between different areas in the

QAIP Guide Page | 183

organization, and logical division of systems or areas).

c. Determine if control or risk frameworks are used to

develop the audit universe (e.g., COSO, ISO, COBIT,
ITIL, NIST, etc.).

4. Review the annual risk assessment methodology.

a. Determine whether the input of senior management, the

Board, and other key internal audit stakeholders was
given appropriate consideration.

b. Determine whether the organization’s risk management,

including risk appetite levels, was considered
(Implementation Guide 2020) or if the CAE used his or
her judgment of risks after consultation with senior
management and the Board.

c. Determine whether the scope of the methodology

included an evaluation of risk exposures relating to the
organization’s governance, operations, and information
systems.

d. Determine whether the internal audit activity risk

assessment process considers the work of other
providers of assurance for the organization.

e. Determine whether a process is in place to capture

changes in the organization’s business, risks, operations,
programs, systems, and controls, and to incorporate
these changes into an updated audit plan. Determine the
rationale and the movement of significant projects that
were planned and scheduled but not executed.

5. Review the annual audit plan as presented to the Board for

review and approval.

a. Determine if the supporting documents and the

information are sufficient based on the size, structure,
and complexity of the internal audit activity.

QAIP Guide Page | 184

b. Determine if the results of the risk assessment were used
to develop the audit plan.

c. Determine if the highest risk auditable units have been

included in the audit plan; and if not, if adequate rationale
is provided.

d. Determine if IT systems/applications were appropriately

included or as audit entities (GTAG 11: Developing an IT
Audit Plan).

e. Determine if the annual audit plan differentiates between

assurance and consulting activities.

f. Determine if opportunities to add value were considered

by identifying potential engagements where the efficiency
and effectiveness of the auditable units could be
assessed.

6. Evaluate the CAE’s methods for tracking engagements in

process, completed engagements, management requests,
and other priorities not foreseen during risk assessment and
planning.

7. Determine if the annual audit plan and significant changes to

the plan have been approved by the Board and documented.

8. Determine if resource limitations, if any, have been

communicated to the Board. What form of communication
took place?

9. Review and evaluate the internal audit activity’s resource

allocations that support the annual audit plan.

a. Determine if internal audit resources are aligned with

annual audit plan objectives from a number, skill, and
competency perspective.

b. Determine if specialized skills are required to meet

annual audit plan objectives (e.g., IT, compliance,

QAIP Guide Page | 185

industry-specific operation, etc.). Determine whether a
process has been established to ensure competency of
third-party service providers if used to meet competency
requirements.

c. If third parties are used to provide internal audit services,

confirm the responsibilities of both parties. This may
require a review of portions of the service provider’s
engagement letters or contracts for services.

10. Review planning guide information and internal audit policies

or procedures related to developing, maintaining, and
implementing internal audit policies and procedures.
Determine if the process and timing to update the Guide is
sufficient to capture changes in internal audit activity
requirements, including changes to the IPPF.

11. Review the internal audit policy and procedure manual.

Determine if the manual is sufficient in terms of form and
content to support consistency, quality, and sustainability of
internal audit activity infrastructure and processes. Consider
size, structure, and complexity of the internal audit activity
when making this determination.

12. Review planning guide information and internal audit policies

or procedures related to coordination and reliance with other
providers of assurance for the organization.

a. Determine if the work of the internal audit activity and the

external auditor (or equivalent) is effectively coordinated.

b. Determine if the internal audit activity coordinates

activities with other providers of assurance within the
organization. Determine if any reliance is placed upon
the work of other assurance providers.

c. Determine if coordination and reliance effectively

minimizes duplication of effort between the internal audit
activity and other providers of assurance.

d. Evaluate the process used by the internal audit activity to

QAIP Guide Page | 186

support the reliance they place on the work of other
assurance providers.

e. Determine how the internal audit activity evaluates the

competency, objectivity, and due professional care of
other assurance and consulting service providers.

13. Review and evaluate the internal audit activity’s

communication and reporting practices and any internal
audit activity policy/procedure on communicating
results. Obtain the Audit Committee’s (or equivalent)
agendas and minutes. Confirm that the required
Board/Audit Committee communication requirements were
covered. If they were not applicable, determine why.
Determine how the internal audit activity demonstrates
required communications of:

a. The internal audit charter.

b. Independence of the internal audit activity.

c. The audit plan and progress against the plan.

d. Resource requirements.

e. Results of audit activities.

f. Conformance with the Standards and Code of Ethics,

and action plans to address any significant conformance
issues.

g. Management’s response to risk that, in the CAE’s

judgment, may be unacceptable to the organization.

14. Evaluate the completeness and quality of periodic reports

provided to senior management and the Board from the
internal audit activity.

a. Evaluate whether the reports include performance

QAIP Guide Page | 187

relative to the internal audit activity’s plan (e.g., any
significant changes to the plan, internal audit
performance measures).

b. Evaluate whether the reports include any significant risk

exposures or control issues that adversely affect the
organization’s ability to achieve its strategic and key
supporting objectives.

15. Evaluate whether internal audit services are fully outsourced

to a third-party service provider. If so, determine whether the
third-party service provider has made the organization aware
that they have the responsibility of managing an effective
internal audit activity.

16. Review the survey and interview results for this program
segment. Determine if the results will have any impact on
your results and conclusion.

17. Check with the quality assessment team members assigned

to the other program segments and determine whether any
internal audit management issues related to Standard 2000
were noted.

Standard GC PC DNC

Key Conformance Criteria:

Standard 2000 – Managing the Internal Audit
Activity

2000
A. Effective management of the internal audit
activity is demonstrated when the internal
audit activity achieves the purpose and
responsibility included in the internal audit
charter.

2000
B. Effective management of the internal audit
activity is demonstrated when the internal
audit activity conforms with the Standards.

2000
C. Effective management of the internal audit
activity is demonstrated when the internal

QAIP Guide Page | 188

audit activity’s individual members
conform with the Code of Ethics.

2000
D. Effective management of the internal audit
activity is demonstrated when the internal
audit activity considers trends and
emerging issues that could impact the
organization.

2000
E. The internal audit activity adds value to
the organization and its stakeholders
when it considers strategies, objectives,
and risks; strives to offer ways to enhance
governance, risk management, and
control processes; and objectively
provides relevant assurance.

Key Conformance Criteria:

Standard 2010 – Planning

2010
A. The CAE has established a risk-based
plan to determine the priorities of the
internal audit activity, consistent with the
organization’s goals.

2010
B. To develop the risk-based plan, the CAE
consults with senior management and the
Board and obtains an understanding of
the organization’s strategies, key
business objectives, associated risks, and
risk management processes.

C. The CAE reviews and adjusts the plan as 2010

necessary, in response to changes in the
organization’s business, risks, operations,
programs, systems, and controls.

D. The internal audit activity plan of 2010.A1

engagements is based on a documented
risk assessment undertaken at least
annually.

QAIP Guide Page | 189

2010.A1
E. The input of senior management and the
Board is considered in the risk
assessment process.

2010.A2
F. The CAE identifies and considers the
expectations of senior management, the
Board, and other stakeholders for internal
audit opinions and other conclusions.

2010.C1
G. The CAE considers accepting proposed
consulting engagements based on the
engagement’s potential to improve
management of risks, add value, and
improve the organization’s operations.
Accepted engagements are included in
the audit plan.

Key Conformance Criteria:

Standard 2020 – Communication and
Approval

A. The CAE communicates the internal audit 2020

activity’s plans and resource
requirements, including significant interim
changes, to senior management and the
Board for review and approval.

2020
B. The CAE communicates the impact of
resource limitations to senior
management and the Board.

Key Conformance Criteria:

Standard 2030 – Resource Management

2030
A. The CAE ensures that internal audit
resources are appropriate to achieve the
approved plan.

2030
B. The CAE ensures that internal audit
resources are sufficient to achieve the
approved plan.

QAIP Guide Page | 190

2030
C. The CAE ensures that internal audit
resources are effectively deployed to
achieve the approved plan.

Key Conformance Criteria:

Standard 2040 – Policies and Procedures

A. The CAE has established policies and 2040

procedures to guide the internal audit
activity.

B. The form and content of policies and 2040

procedures are consistent with and
appropriate for the size and structure of
the internal audit activity and the
complexity of its work.

Key Conformance Criteria:

Standard 2050 – Coordination and Reliance

2050
A. The CAE shares information with other
internal and external providers of
assurance and consulting services to
ensure proper coverage and minimize
duplication of effort.

2050
B. The CAE coordinates activities with other
internal and external providers of
assurance and consulting services to
ensure proper coverage and minimize
duplication of effort.

C. If the CAE relies upon the work of other 2050

internal and external providers of
assurance and consulting services, a
consistent process for the basis of
reliance should be established.

2050
D. If the CAE relies upon the work of other
internal and external providers of
assurance and consulting services, the
CAE should consider the competency,

QAIP Guide Page | 191

objectivity, and due professional care of
the assurance and consulting service
providers.

E. If the CAE relies upon the work of other 2050

internal and external providers of
assurance and consulting services, the
CAE should have a clear understanding of
the scope, objectives, and results of the
work performed by other providers of
assurance and consulting services.

Key Conformance Criteria:

Standard 2060 – Reporting to
Senior Management and the Board

2060
A. The CAE reports periodically to senior
management and the Board on the
internal audit activity’s purpose, authority,
responsibility, and performance relative to
its plan.

B. The CAE reports periodically to senior 2060

management and the Board on the
internal audit activity’s conformance with
the Code of Ethics and the Standards.

C. The CAE reports significant risk 2060

exposures and control issues, including
fraud risks, governance issues, and other
matters needed or requested by senior
management and the Board.

D. The frequency and content of reporting 2060

has been determined based on
discussions with senior management and
the Board, and depends on the
importance of the information
communicated and the urgency of related
actions to be taken by senior
management and the Board.

E. The CAE’s reports and communications to 1000

QAIP Guide Page | 192

senior management and the Board 2060
include information about the internal
audit charter.

F. The CAE’s reports and communications to 1100

2060
senior management and the Board include
information about the independence of the
internal audit activity.

G. The CAE’s reports and communications to 2010

2020
senior management and the Board include
2060
information about the audit plan and
progress against the plan.

H. The CAE’s reports and communications to 2030

2060
senior management and the Board
include information about resource
requirements.

2060
I. The CAE’s reports and communications to
senior management and the Board
include information about the results of
audit activities.

J. The CAE’s reports and communications to 1320

2060
senior management and the Board
include information about conformance
with the Code of Ethics and the Standards
and action plans to address any
significant conformance issues.

2060
K. The CAE’s reports and communications to
senior management and the Board 2600
include information about management’s
response to risk that, in the CAE’s
judgment, may be unacceptable to the
organization.

Key Conformance Criteria:

Standard 2070 – External Service Provider
and Organizational Responsibility for Internal
Auditing

QAIP Guide Page | 193

2070
A. When an external service provider serves
as the internal audit activity, the provider
makes the organization aware that the
organization has the responsibility for
maintaining an effective internal audit
activity.

2070
B. The responsibility for maintaining an
effective internal audit activity is
demonstrated through the QAIP, which
assesses conformance with the Code of
Ethics and the Standards.

Standard
Conformance Gaps Noted (if any):

Objective #2: Assess the efficiency and effectiveness of the internal audit activity,
identify opportunities for continuous improvement, and offer ideas to the CAE and the
internal audit activity staff for improving their performance and increasing their ability to
add value.

Initial/ WP
Date References

1. Review all information provided in appendices A-0 through

A-4 and identify opportunities for continuous improvement
and successful internal audit practices pertinent to Standard
2000 – Managing the Internal Audit Activity.

Opportunities for Continuous Improvement Noted (if any): Standard

Successful Internal Audit Practices Noted (if any): Standard

QAIP Guide Page | 194

Standard 2100 – Nature of Work

Objective #1: Determine the internal audit activity’s level of conformance with the intent
of Standard 2100.

Initial/ WP
Date References

1. Review planning guide information and internal audit policies

or procedures related to the internal audit activity’s role and
responsibilities related to governance, risk management, and
control within the organization. Specifically review
information provided in appendix A-0, documents #4, #5,
and #6.

2. Review the audit plan’s coverage of the organization’s

governance processes. Specifically evaluate whether
internal audit makes appropriate recommendations to
improve the organization’s governance processes related to:

a. Making strategic and operational decisions.

b. Overseeing risk management and control.

c. Promoting appropriate ethics and values within the

organization.

d. Ensuring effective organizational performance

management and accountability.

e. Communicating risk and control information to

appropriate areas of the organization.

f. Coordinating the activities of, and communicating

QAIP Guide Page | 195

information among, the Board, external and internal
auditors, other assurance providers, and management.

3. Determine whether the internal audit activity evaluates the

design, implementation, and effectiveness of the
organization’s ethics-related objectives, programs, and
activities.

4. Determine if the internal audit activity assesses whether the

IT governance of the organization supports the organization’s
strategies and objectives.

5. Assess the role of the internal audit activity related to risk

management within the organization.

a. Evaluate whether the internal audit activity supports risk

management in an independent and objective manner.
How does the internal audit activity manage situations
where they have responsibility for some aspect of risk
management?

b. Evaluate whether there is a clear understanding of roles

and responsibilities related to risk management within the
organization consistent with the “Three Lines of Defense”
framework.

c. Determine whether an assurance map is used to

communicate responsibility for assurance activities
related to significant PSE-level risks.

d. Evaluate whether the internal audit activity considers

fraud during the annual risk assessment process and for
individual engagements.

e. Evaluate whether the results of assurance and consulting

activities are both considered in the risk management
process. Is there a difference between the two?

6. Assess the role of the internal audit activity related to control

within the organization.

QAIP Guide Page | 196

a. Determine if the internal audit activity is aware of control
frameworks used by the organization (e.g., COSO, ISO
COBIT, and ITIL).

b. Evaluate whether the internal audit activity’s methodology

addresses control within the context of 1) achieving the
organization’s strategic objectives; 2) reliability and
integrity of financial and operational information; 3)
effectiveness and efficiency of operations and programs;
4) safeguarding of assets; and 5) compliance with laws,
regulations, policies, procedures, and contracts.

7. Review the survey and interview results for this program

segment. Determine if the results will have any impact on the
results and conclusion.

8. Check with the quality assessment team members assigned

to the other program segments and determine whether any
internal audit management issues related to Standard 2100
were noted.

Standard GC PC DNC

Key Conformance Criteria:

Standard 2100 – Nature of Work

2100
A. The internal audit activity evaluates and
contributes to the improvement of
governance, risk management, and
control processes using a systematic,
disciplined, and risk-based approach.

2100
B. Internal auditors are proactive, and their
evaluations offer new insights and
consider future impact.

Key Conformance Criteria:

Standard 2110 – Governance

A. The internal audit activity assesses and 2110

makes appropriate recommendations for
improving governance processes for

QAIP Guide Page | 197

making strategic and operational
decisions.

2110
B. The internal audit activity assesses and
makes appropriate recommendations for
improving governance processes for
overseeing risk management and control.

C. The internal audit activity assesses and 2110

makes appropriate recommendations for
improving governance processes for
promoting appropriate ethics and values
within the organization.

D. The internal audit activity assesses and 2110

makes appropriate recommendations for
improving governance processes for
ensuring effective organizational
performance management and
accountability.

2110
E. The internal audit activity assesses and
makes appropriate recommendations for
improving governance processes for
communicating risk and control
information for appropriate areas of the
organization.

F. The internal audit activity assesses and 2110

makes appropriate recommendations for
improving governance processes for
coordinating the activities of, and
communicating information among, the
Board, external and internal auditors,
other assurance provides, and
management.

2110.A1
G. The internal audit activity evaluates the
design, implementation, and effectiveness
of the organization’s ethics-related
objectives, programs, and activities.

H. The internal audit activity assesses 2110.A2

QAIP Guide Page | 198

whether IT governance of the
organization supports the organization’s
strategies and objectives.

I. The internal audit activity assesses 2110.C1

whether consulting engagement
objectives are consistent with overall
values and goals of the organization.

Key Conformance Criteria:

Standard 2120 – Risk Management

2120
A. The internal audit activity evaluates the
effectiveness and contributes to the
improvement of risk management
processes.

2120
B. The internal audit activity determines
whether organizational objectives align
with the organization’s mission.

2120
C. The internal audit activity determines
whether significant risks are identified and
assessed.

2120
D. The internal audit activity determines
whether appropriate risk responses are
selected that align risks with the
organization’s risk appetite.

E. The internal audit activity determines 2120

whether relevant risk information is
captured and communicated in a timely
manner across the organization, enabling
staff, management, and the Board to
carry out their responsibilities.

F. Risk management processes are 2120

monitored through ongoing management
activities, separate evaluations, or both.

2120.A1
G. The internal audit activity evaluates risk

QAIP Guide Page | 199

exposures relating to the organization’s
governance, operations, and information
systems regarding:

a. Achievement of the organization’s

strategic objectives.

b. Reliability and integrity of financial and

operational information.

c. Effectiveness and efficiency of

operations and programs.

d. Safeguarding of assets.

e. Compliance with laws, regulations,

policies, procedures, and contracts.

2120.A2
H. The internal audit activity evaluates how
the organization manages fraud risk, and
if there is fraud potential.

2120.C1
I. During consulting engagements, internal
auditors address risk consistent with the
engagement’s objectives and are alert to
the existence of other significant risks.

2120.C2
J. Internal auditors incorporate knowledge of
risks gained from consulting
engagements into their evaluation of the
organization’s risk management
processes.

2120.C3
K. When assisting management in
establishing or improving risk
management processes, internal auditors
refrain from assuming any management
responsibility by actually managing risks.

2120
L. The internal audit activity evaluates the
effectiveness and contributes to the

QAIP Guide Page | 200

improvement of risk management
processes.

Key Conformance Criteria:

Standard 2130 – Control

2130
A. The internal audit activity assists the
organization in maintaining effective
controls by evaluating their effectiveness
and efficiency and by promoting
continuous improvement.

2130.A1
B. The internal audit activity evaluates the
adequacy and effectiveness of controls in
responding to risks within the
organization’s governance, operations,
and information systems regarding:

a. Achievement of the organization’s

strategic objectives.

b. Reliability and integrity of financial and

operational information.

c. Effectiveness and efficiency of

operations and programs.

d. Safeguarding of assets.

e. Compliance with laws, regulations,

policies, procedures, and contracts.

2130.C1
C. Internal auditors incorporate knowledge of
controls gained from consulting
engagements into evaluation of the
organization’s control processes.

Standard
Conformance Gaps Noted (if any):

QAIP Guide Page | 201

Initial/ WP
Date References

1. Review all information provided in appendices A-0 through

A-4 and identify opportunities for continuous improvement
and successful internal audit practices pertinent to Standard
2100 – Nature of Work.

Standard
Opportunities for Continuous Improvement Noted (if any):

Standard
Successful Internal Audit Practices Noted (if any):

Standard 2450 – Overall Opinions

Objective #1: Determine the internal audit activity’s level of conformance with the intent
of Standard 2450.

Initial/ WP
Date References

1. Determine if an overall opinion is issued by the

QAIP Guide Page | 202

internal audit activity.

2. If an overall opinion is issued, determine whether it

takes into account the strategies, objectives, and risks
of the organization and the expectations of senior
management. Determine whether the overall opinion
is supported by sufficient, reliable, relevant, and
useful information.

3. Review the survey and interview results for this

program segment. Determine if the results will have
any impact on the results and conclusion.

4. Check with the quality assessment team members

assigned to the other program segments and
determine whether any internal audit management
issues related to Standard 2450 were noted.

Standard GC PC DNC

Key Conformance Criteria:

Standard 2450 – Overall Opinions

2450
A. When an overall opinion is issued, it takes
into account the expectations of senior
management, the Board, and other
stakeholders, and it is supported by
sufficient, reliable, relevant, and useful
information.

2450
B. An overall opinion communication
identifies the scope, including the period
to which the opinion pertains.

C. An overall opinion communication 2450

identifies scope limitations.

2450
D. An overall opinion communication
identifies consideration of all related
projects, including the reliance on other
assurance providers.

QAIP Guide Page | 203

2450
E. An overall opinion communication
identifies the risk or control framework, or
other criteria used as the basis for the
overall opinion.

2450
F. An overall opinion communication
identifies the overall opinion, judgment, or
conclusion reached.

2450
G. An overall opinion states the reasons for
an unfavorable overall opinion.

Conformance Gaps Noted (if any): Standard

Initial/ WP
Date References

1. Review all information provided in appendices A-0

through A-4 and identify opportunities for continuous
improvement and successful internal audit practices
pertinent to Standard 2450 – Overall Opinions.

Standard
Opportunities for Continuous Improvement Noted (if any):

Standard
Successful Internal Audit Practices Noted (if any):

QAIP Guide Page | 204

Standard 2600 – Communicating the Acceptance of Risks

Objective #1: Determine the internal audit activity’s level of conformance with the intent
of Standard 2600.

Initial/ WP
Date References

1. Review planning guide information and internal audit

policies or procedures related to communicating the
acceptance of risk within the organization.

a. Determine whether the CAE has developed a

process to communicate management’s acceptance
of risk, including possible escalation of these risks to
the Audit Committee or Board.

b. If a process exists, confirm via interviews that key

internal audit stakeholders (e.g., Audit Committee,
CEO, and the executive to whom the CAE reports
administratively) are aware of and support the
process.

c. Evaluate whether the communication on

acceptance of risks is appropriately documented.

2. Review the survey and interview results for this

program segment. Determine if the results will have
any impact on the results and conclusion.

3. Check with the quality assessment team members

assigned to the other program segments and
determine whether any internal audit management
issues related to Standard 2600 were noted.

Standard GC PC DNC

QAIP Guide Page | 205

Key Conformance Criteria:
Standard 2600 – Communicating the
Acceptance of Risks

2600
A. When the CAE concludes that
management has accepted a level of risk
that may be unacceptable to the
organization, the CAE discusses the
matter with senior management. If the
CAE determines that the matter has not
been resolved, he or she communicates
the matter to the Board.

Standard
Conformance Gaps Noted (if any):

Initial/ WP
Date References

1. Review all information provided in appendices A-0

through A-4 and identify opportunities for continuous
improvement and successful internal audit practices
pertinent to Standard 2600 – Communicating the
Acceptance of Risks.

Opportunities for Continuous Improvement Noted (if any): Standard

Successful Internal Audit Practices Noted (if any): Standard

QAIP Guide Page | 206

Template 2.4.4 Internal Audit Process Assessment/Rating Tool

Organization Name:

Date Prepared:

Prepared By:

Reviewed By:

Instructions for Completion

1. Complete this form for a full external assessment and a self-assessment with
independent external validation. This form may be completed as a component
of a periodic internal assessment.

2. Objective #1 – Please complete each program step as described for each

major series of Standards (e.g., 1000). Document the results of the program
steps in the spaces provided. A different color font may be used to document
results. “W/P” references should be to specific documents provided in
appendix 2.1.1, “Background Information and Document Request Checklist,”
appendix 2.1 “Planning Tools and Checklists, “Survey Tools,” appendix 2.2.,
“Interview Guides,” or benchmark data. Specifically describe areas of non-
conformance in the space provided.

QAIP Guide Page | 207

Planning and Preparation Initial/
Date

1. Review implementation guidance specific to the Standards evaluated

in this program segment.

2. Review information included in the planning guide for this program

segment.

3. Confirm receipt of documents included on the Background

Information and Document Request Checklist.

4. Review survey results for questions denoted for this program

segment.

5. Confirm that the list of planned interviews will adequately support the
completion of this program segment. Consider additional interview
questions to support this program segment.

6. Obtain and review any benchmarking information, such as the Global

7. Review appendix A-4, “Internal Audit Process,” as it relates to internal

audit staff. Evaluate successful internal audit practices noted by the
CAE. Identify successful internal audit practices in evidence within the
internal audit activity, or those processes or practices that are
particularly effective or noteworthy. Consider the relative size of the
internal audit activity when making this determination.

8. Review the internal audit activity strategic plan (appendix A-0,

document #8) and the supporting strengths, weaknesses,
opportunities, and threats analysis to identify potential opportunities
for continuous improvement or successful internal audit practices
related to internal audit governance.

9. Evaluate the list of all engagements completed in the current and prior
year. Select a representative sample of completed engagements

QAIP Guide Page | 208

Planning and Preparation Initial/
Date

(assurance, consulting, or blended) for use in the evaluation of

conformance with Standards 2200, 2300, 2400, and 2500.

10. Examine the list of software used by the internal audit activity. Obtain
necessary access to the software to facilitate the review of the
supporting records for audit engagements selected in the previous
program step (#8).

11. Review the list of CAATs currently used by the internal audit activity.
Note any reference in the internal audit activity’s policies and
procedures regarding the use of CAATs in the engagement
management process that will assist in your completion of program
step (#9).

12. For the representative sample of completed engagements selected in

program step (#9), complete program steps associated with
evaluating conformance with Standards 2200, 2300, 2400, and 2500.

13. Complete appendix D-5, “Supplemental Program: Workpaper

Review,” to support conclusions on conformance with the Standards
for each engagement selected in program step (#9).

Standard 2200 – Engagement Planning

Objective #1: Determine the internal audit activity’s level of conformance with the
intent of Standard 2200.

Initial/ WP
Date References

1. Review planning guide information and internal audit

activity policies or procedures related to engagement-
level planning.

a. Determine whether planning for each engagement

considers the organization’s strategies, objectives,

QAIP Guide Page | 209

and risks relevant to the engagement.

b. Evaluate the consistency and quality of the

documentation found in the engagement
workpapers supporting planning.

c. Evaluate whether engagement-level planning is

linked to the objectives established during the
annual audit planning process.

d. Determine whether engagement-level planning is

appropriately documented in a manner consistent
with the defined methodology.

e. Determine whether a planning checklist is used to

ensure all required elements of planning are
performed and documented.

f. Evaluate whether engagement-level risk

assessment is performed and documented in a
manner to focus engagement scope in areas of
high risk. Comment on the method for
documenting engagement-level risk assessment
(e.g., risk and control matrix).

g. Evaluate whether evaluation criteria are defined

during the planning process to allow for an
evaluation of governance, risk management, and
control.

h. Evaluate whether the scope of each engagement is

documented and is derived from the engagement
planning process. Does the scope consider
relevant systems, records, personnel, and physical
properties (including those under the control of third
parties), and is it consistent with the audit
objectives?

i. Evaluate whether internal audit activity resources

assigned to the engagement are adequate and
have the requisite skills and competencies to meet

QAIP Guide Page | 210

engagement objectives.

j. Determine whether the engagement work program

is derived from the engagement planning process
and linked to fieldwork activities.

k. Determine whether the engagement work program

was approved by the CAE or their designee prior
to the onset of fieldwork.

l. Determine if planning for consulting engagements

is defined in internal audit policies and procedures,
and determine whether it is applied consistently.
Are consulting engagements accepted based on
their potential to improve management of risks,
add value, and improve the organization’s
operations? Are objectives, scope, and
deliverables defined in planning documentation?

2. Review the survey and interview results for this

program segment. Determine if the results will have
any impact on the results and conclusion.

3. Check with the quality assessment team members

assigned to the other program segments and
determine whether any internal audit management
issues related to Standard 2200 were noted.

Standard GC PC DNC

Key Conformance Criteria:

Standard 2200 – Engagement Planning

2200
A. Internal auditors develop and document a
plan for each engagement, including the
engagement’s objectives, scope, timing,
and resource allocations.

2200
B. The plan for each engagement considers
the organization’s strategies, objectives,
and risks relevant to the engagement.

QAIP Guide Page | 211

Key Conformance Criteria:
Standard 2201 – Planning Considerations

A. When planning the engagement, the 2201

internal auditors consider the strategies
and objectives of the activity being
reviewed and the means by which the
activity controls its performance.

2201
B. When planning the engagement, the
internal auditors consider the significant
risks to the activity’s objectives,
resources, and operations, and the means
by which the potential impact of risk is
kept to an acceptable level.

C. When planning the engagement, the 2201

internal auditors consider the adequacy
and effectiveness of the activity’s
governance, risk management, and
control processes, compared to a relevant
framework or model.

2201
D. When planning the engagement, the
internal auditors consider the
opportunities for making significant
improvements to the activity’s
governance, risk management, and
control processes.

E. When planning an engagement for parties 2201.A1

outside the organization, internal auditors
establish a written understanding with
them about objectives, scope, respective
responsibilities, and other expectations,
including restrictions on distribution of the
results of the engagement and access to
engagement records.

F. Internal auditors establish an 2201.C1

understanding with consulting
engagement clients about objectives,
scope, respective responsibilities, and

QAIP Guide Page | 212

other client expectations. For significant
engagements, this understanding is
documented.

Key Conformance Criteria:

Standard 2210 – Engagement Objectives

2210
A. Objectives are established for each
engagement.

B. Internal auditors conduct a preliminary 2210.A1

assessment of the risks relevant to the
activity under review. Engagement
objectives reflect the results of this
assessment.

2210.A2
C. The internal auditors consider the
probability of significant errors, fraud,
noncompliance, and other exposures
when developing the engagement
objectives.

2210.A3
D. The internal auditors ascertain the extent
to which management and/or the Board
has established adequate criteria to
determine whether objectives and goals
have been accomplished. If adequate,
internal auditors use such criteria in their
evaluation. If inadequate, internal auditors
identify appropriate evaluation criteria
through discussion with management
and/or the Board.

E. Consulting engagement objectives 2210.C1

address governance, risk management,
and control processes to the extent
agreed upon with the client.

2210.C2
F. Consulting engagement objectives are
consistent with the organization’s values,
strategies, and objectives.

QAIP Guide Page | 213

Key Conformance Criteria:
Standard 2220 – Engagement Scope

A. The established scope is sufficient to 2220

achieve the objectives of the engagement.

2220.A1
B. The scope of the engagement includes
consideration of relevant systems,
records, personnel, and physical
properties, including those under the
control of third parties.

C. If significant consulting opportunities arise 2220.A2

during an assurance engagement, a
specific written understanding as to the
objectives, scope, respective
responsibilities, and other expectations is
reached and the results of the consulting
engagement are communicated in
accordance with consulting standards.

D. When performing a consulting 2220.C1

engagement, internal auditors ensure that
the scope of the engagement is sufficient
to address the agreed-upon objectives. If
internal auditors develop reservations
about the scope during the engagement,
these reservations are discussed with the
client to determine whether to continue
with the engagement.

2220.C2
E. During consulting engagements, internal
auditors address controls consistent with
the engagement’s objectives and are alert
to significant control issues.

Key Conformance Criteria:

Standard 2230 – Engagement Resource
Allocation

A. Internal auditors determine appropriate 2230

and sufficient resources to achieve

QAIP Guide Page | 214

engagement objectives based on an
evaluation of the nature and complexity of
each engagement, time constraints, and
available resources.

Key Conformance Criteria:

Standard 2240 – Engagement Work Program

A. Internal auditors develop and document 2240

work programs that achieve the
engagement objectives.

2240.A1
B. Work programs include procedures for
identifying, analyzing, evaluating, and
documenting information during the
engagement.

2240.A1
C. The work program is approved prior to its
implementation, and any adjustments are
approved promptly.

2240.C1
D. Work programs are in evidence for
consulting engagements but may vary in
form and content depending upon the
nature of the engagement.

Standard
Conformance Gaps Noted (if any):

QAIP Guide Page | 215

Initial/ WP
Date References

1. Review all information provided in appendices A-0

through A-4 and identify opportunities for continuous
improvement and successful internal audit practices
pertinent to Standard 2200 – Engagement Planning.

Opportunities for Continuous Improvement Noted (if any): Standard

Standard
Successful Internal Audit Practices Noted (if any):

Standard 2300 – Performing the Engagement

Objective #1: Determine the internal audit activity’s level of conformance with the
intent of Standard 2300.

Initial/ WP
Date References

1. Review planning guide information and internal audit

policies or procedures related to performing the
engagement.

QAIP Guide Page | 216

a. Determine whether engagements identify, analyze,
evaluate, and document sufficient information to
achieve the engagement’s objectives.

b. Determine whether engagement workpapers

document sufficient, reliable, relevant, and useful
information to achieve the engagement’s objectives.

c. Determine whether engagement conclusions and

results are based upon an appropriate level of
analysis. Determine if data analysis is used to support
root-cause evaluation.

d. Determine whether the CAE has established

requirements for retention of internal audit activity
records, including engagement records.

e. Determine whether supervisory review and approval

takes place at appropriate times during an
engagement and is documented in the engagement
workpapers.

f. Evaluate the overall quality and consistency of

engagement workpapers. Do they include all
appropriate planning, executing, reporting, and follow-
up records? Are they prepared consistently and in a
manner consistent with the defined methodology?

2. Review the survey and interview results for this program

segment. Determine if the results will have any impact on
the results and conclusion.

3. Check with the quality assessment team members

assigned to the other program segments and determine
whether any internal audit management issues related to
Standard 2300 were noted.

Standard GC PC DNC

Key Conformance Criteria:

Standard 2300 – Performing the Engagement

QAIP Guide Page | 217

2300
A. Internal auditors identify, analyze, evaluate,
and document sufficient information to
achieve the engagement’s objectives.

Key Conformance Criteria:

Standard 2310 – Identifying Information

A. Internal auditors identify sufficient, reliable, 2310

relevant, and useful information to achieve the
engagement’s objectives.

B. Sufficient information identified is factual, 2310

adequate, and convincing so that a prudent,
informed person would reach the same
conclusion as the internal auditor.

C. Reliable information identified is the best 2310

attainable information using appropriate
engagement techniques.

2310
D. Relevant information identified supports
engagement observations and
recommendations and is consistent with the
objectives for the engagement.

2310
E. Useful information identified helps the
organization meet its goals.

Key Conformance Criteria:

Standard 2320 – Analysis and Evaluation

2320
A. Internal auditors’ base conclusions and
engagement results on appropriate analyses
and evaluations.

Key Conformance Criteria:

Standard 2330 – Documenting Information

A. Internal auditors document sufficient, reliable, 2330

relevant, and useful information to support the
engagement results and conclusions.

QAIP Guide Page | 218

2330.A1
B. The CAE controls access to engagement
records. The CAE obtains the approval of
senior management and/or legal counsel prior
to releasing such records to external parties,
as appropriate.

C. The CAE has developed retention 2330.A2

requirements for engagement records
regardless of the medium in which each
record is stored. These retention requirements
are consistent with the organization’s
guidelines and any pertinent regulatory or
other requirements.

2330.C1
D. The CAE has developed policies governing
the custody and retention of consulting
engagement records, as well as their release
to internal and external parties. These policies
are consistent with the organization’s
guidelines and any pertinent regulatory or
other requirements.

Key Conformance Criteria:

Standard 2340 – Engagement Supervision

A. Engagements are properly supervised to 2340

ensure objectives are achieved, quality is
assured, and staff is developed.

B. Appropriate evidence of supervision is 2340

documented and retained.

Standard
Conformance Gaps Noted (if any):

QAIP Guide Page | 219

Initial/ WP
Date References

1. Review all information provided in appendices A-0

through A-4 and identify opportunities for continuous
improvement and successful internal audit practices
pertinent to Standard 2300 – Performing the
Engagement.

Standard
Opportunities for Continuous Improvement Noted (if any):

Standard
Successful Internal Audit Practices Noted (if any):

Standard 2400 – Communicating Results

Objective #1: Determine the internal audit activity’s level of conformance with the
intent of Standard 2400.

Initial/ WP
Date References

1. Review planning guide information and internal audit

policies or procedures related to communicating results.

QAIP Guide Page | 220

a. Determine whether engagement reports include the
engagement’s objectives, scope, and results.

b. Evaluate the format used to communicate results. Is

the format template-driven? Is there an executive
summary with detailed results and appendices?

c. Determine whether final communication of

engagement results includes applicable conclusions,
as well as applicable recommendations and/or action
plans.

d. Determine whether the internal auditor’s opinion (if

provided) takes into account the expectations of senior
management and the Board, and is supported by
reliable, relevant, and useful information.

e. Determine whether all observations shown as

reportable items in the engagement workpapers are
included in the final communication of results.

f. Evaluate the overall quality of the final communication

of results. Is it accurate, objective, clear, concise,
constructive, complete, and timely?

g. Determine whether criteria used in the report are

documented within the body of the report or in an
appendix to the report.

h. Confirm that reports are distributed to parties who can

ensure that the results are given due consideration.

i. Determine whether results of consulting engagements

are delivered in a manner consistent with planning
requirements.

j. Determine whether the language, “conducted in

conformance with the International Standards for the
Professional Practice of Internal Auditing” is used

QAIP Guide Page | 221

appropriately.

2. Review the survey and interview results for this program

segment. Determine if the results will have any impact on
your results and conclusion.

3. Check with the quality assessment team members

assigned to the other program segments and determine
whether any internal audit management issues related to
Standard 2400 were noted.

Standard GC PC DNC

Key Conformance Criteria:

Standard 2400 – Communicating Results

2400
A. Internal auditors communicate the results of
engagements.

Key Conformance Criteria:

Standard 2410 – Criteria for Communicating

2410
A. Communications include the engagement’s
objectives, scope, and results.

2410.A1
B. The final communication of engagement
results includes applicable conclusions, as well
as applicable recommendations and/or action
plans.

Standard GC PC DNC
d
C. Where appropriate, the internal auditor’s 2410.A1
opinion is provided. An opinion must take into
account the expectations of senior
management, the Board, and other
stakeholders, and must be supported by
sufficient, reliable, relevant, and useful
information.

D. Internal auditors acknowledge satisfactory 2410.A2

performance in engagement communication.

QAIP Guide Page | 222

2410.A3
E. When releasing engagement results to parties
outside the organization, the communication
includes limitations on distribution and use of
the results.

Key Conformance Criteria:

Standard 2420 – Quality of Communications

2420
A. Communications are accurate, free from errors
and distortions, and are faithful to the
underlying facts.

B. Communications are objective, fair, impartial, 2420

and unbiased, and are the result of a fair-
minded and balanced assessment of all
relevant facts and circumstances.

C. Communications are clear, easily understood, 2420

and logical, avoid unnecessary technical
language, and provide all significant and
relevant information.

D. Communications are concise, to the point, and 2420

avoid unnecessary elaboration, superfluous
detail, redundancy, and wordiness.

2420
E. Communications are constructive, helpful to
the engagement client and the organization,
and lead to improvements where needed.

2420
F. Communications are complete, lack nothing
that is essential to the target audience, and
include all significant and relevant information
and observations to support recommendations
and conclusions.

G. Communications are timely, opportune and 2420

expedient, and depending on the significance
of the issue, allow management to take
appropriate corrective action.

Standard GC PC DNC

QAIP Guide Page | 223

Key Conformance Criteria:
Standard 2421 – Errors and Omissions

A. If a final communication contained a significant 2421

error or omission, the CAE has communicated
corrected information to all parties who
received the original communication.

Key Conformance Criteria:

Standard 2430 – Use of “Conducted in
Conformance with the International Standards for
the Professional Practice of Internal Auditing”

2430
A. Indicating that engagements are “conducted in
conformance with the International Standards
for the Professional Practice of Internal
Auditing” is appropriate only if supported by
the results of the quality assurance and
improvement program.

Key Conformance Criteria:

Standard 2431 – Engagement Disclosure of
Nonconformance

2431
A. When non-conformance with the Definition of
Internal Auditing, the Code of Ethics, or the
Standards impacts a specific engagement,
communication of the results disclose the:

a. Principle or Rule of Conduct of the Code of

Ethics or the Standards with which full
conformance was not achieved.

b. Reason(s) for non-conformance.

c. Impact of non-conformance on the

engagement and the communicated
engagement results.

Key Conformance Criteria:

Standard 2440 – Disseminating Results

QAIP Guide Page | 224

2440
A. The CAE communicates results to the
appropriate parties.

B. The CAE is responsible for reviewing and 2440

approving the final engagement
communication before issuance, and for
deciding to whom and how it will be
disseminated. When the CAE delegates these
duties, they retain overall responsibility.

C. The CAE communicates the final results to 2440.A1

parties who can ensure that the results are
given due consideration.

2440.A2
D. If not otherwise mandated by legal, statutory, or
regulatory requirements, prior to releasing
results to parties outside the organization, the
CAE (suggested – not mandatory):

a. Assesses the potential risk to the

organization.

b. Consults with senior management and/or

legal counsel as appropriate.

c. Controls dissemination by restricting the use

of results.

2440.C1
E. The CAE communicates the final results of
consulting engagements to clients.

2440.C2
F. During consulting engagements, governance,
risk management, and control issues may be
identified. Whenever these issues are
significant to the organization, they are
communicated to senior management and the
Board.

Standard
Conformance Gaps Noted (if any):

QAIP Guide Page | 225

Initial/ WP
Date References

1. Review all information provided in appendices A-0 through

A-4 and identify opportunities for continuous improvement
and successful internal audit practices pertinent to Standard
2400 – Communicating Results.

Opportunities for Continuous Improvement Noted (if any): Standard

Standard
Successful Internal Audit Practices Noted (if any):

Standard 2500 – Monitoring Progress

Objective #1: Determine the internal audit activity’s level of conformance with the
intent of Standard 2500.

Initial/ WP
Date References

1. Review planning guide information and internal audit

policies or procedures related to monitoring progress.

QAIP Guide Page | 226

a. Determine whether a system is used to monitor
internal audit activity results to ensure that
management actions have been effectively
implemented or that senior management has
accepted the risk of not taking action.

b. Determine whether a monitoring system is used to

communicate the disposition of internal audit results
to senior management and the Board.

c. Determine whether a process exists to ensure that all

items reported in engagement reports are included in
the monitoring process.

d. Determine whether the results of assurance

engagements are monitored to the extent agreed
upon by the client.

2. Review the survey and interview results for this program

segment. Determine if the results will have any impact on
the results and conclusion.

3. Check with the quality assessment team members

assigned to the other program segments and determine
whether any internal audit management issues related to
Standard 2500 were noted.

Standard GC PC DNC

Key Conformance Criteria:

Standard 2500 – Monitoring Progress

2500
A. The CAE has established and maintains a
system to monitor the disposition of results
communicated to management.

2500.A1
B. The CAE has established a follow-up process
to monitor and ensure that management
actions have been effectively implemented or
that senior management has accepted the risk
of not taking action.

QAIP Guide Page | 227

2500.C1
C. The internal audit activity monitors the
disposition of results of consulting
engagements to the extent agreed upon with
the client.

Standard
Conformance Gaps Noted (if any):

Initial/ WP
Date References

1. Review all information provided in appendices A-0 through

A-4 and identify opportunities for continuous improvement
and successful internal audit practices pertinent to
Standard 2500 – Monitoring Progress.

Standard
Opportunities for Continuous Improvement Noted (if any):

Successful Internal Audit Practices Noted (if any): Standard

QAIP Guide Page | 228

Standard 2600 –Resolution of Senior Management’s Acceptance of Risks:

Objective #1: Determine the internal audit activity’s level of conformance with the intent of
Standard 2600.

Initial/ WP
Date References

1. Review planning guide information and internal audit policies or

procedures related to resolution of senior management’s
acceptance of risks.

a. Determine whether a documented process on resolution of

senior management’s acceptance of risks in the existing
policies.

b. Review evidence of conformance in minutes of meetings

where a significant risk issue was discussed with the
executive management team, the Board, or a risk
committee, if any.

c. Establish if there is a memo also filed as documentation of

the steps taken to alert management and the Board in the in
the event that the CAE communicates the unacceptable risk
situation through one-on-one meetings or during a private
session.

2. Review the survey and interview results for this program

segment. Determine if the results will have any impact on the
results and conclusion.

3. Check with the quality assessment team members assigned to

the other program segments and determine whether any
internal audit management issues related to Standard 2600
were noted.

QAIP Guide Page | 229

Standard GC PC DNC

Key Conformance Criteria:

Standard 2600 – Monitoring Progress

When the chief audit executive believes that senior 2600

management has accepted a level of residual risk that
may be unacceptable to the organization, the chief
audit executive must discuss the matter with senior
management. If the decision regarding residual risk is
not resolved, the chief audit executive must report the
matter to the Board for resolution.

Conformance Gaps Noted (if any): Standard

QAIP Guide Page | 230

Initial/ WP
Date References

1. Review all information provided in appendices 2.1.1

through 2.1.4 and identify opportunities for continuous
improvement and successful internal audit practices
pertinent to Standard 2600 – Monitoring Progress.

Opportunities for Continuous Improvement Noted (if any): Standard

Standard
Successful Internal Audit Practices Noted (if any):

QAIP Guide Page | 231

Template 2.4.5 Mapping of Internal Audit Standards to QAIP Tools

Organization Name:

Date Prepared:

Prepared By:

Standard Survey Tool Interview Guide Question

Planning References Program
Guide Reference
2.2.1 2.2.2 2.3.1 2.3.2 2.3.4 2.3.3

1000 – Purpose, Authority, 3 1,3

2.1.2 1,11 1,3 1,3 1,3,4 2.4.1
and Responsibility

1010 – Recognition of the

Definition of Internal Auditing,
the Code of Ethics, and the
Standards in the Internal Audit
Charter

1100 – Independence and

2.1.2 2.4.1
Objectivity

1110 – Organizational 5,6 2 2 1 1 1

Independence

1111 – Direct Interaction with

3 1
the Board

1112 – Chief Audit Executive

Roles Beyond Internal Auditing

1120 – Individual Objectivity 2 6 1

QAIP Guide Page | 232

Standard Survey Tool Interview Guide Question
Planning References Program
Guide Reference
2.2.1 2.2.2 2.3.1 2.3.2 2.3.4 2.3.3

1130 – Impairment to 5,6 2 2 1 1 1

Independence or Objectivity

1200 – Proficiency and Due

2.1.2 2.4.2
Professional Care

7-11
1210 – Proficiency 7-8 6,11 2 2 2
13,14

1220 – Due Professional Care 21,22 9-10

1230 – Continuing Professional 12 11-16 6,11 2,5,6

Development

1300 – Quality Assurance

2.1.2 2.4.1
and Improvement Program

1310 – Requirements of the 4

Quality Assurance and
Improvement Program

24-27 28-31
1311 – Internal Assessments 14 9 8 7-8

1312 – External Assessments

1320 – Reporting on the

Quality Assurance and
Improvement Program

1321 – Use of “Conforms with

the International Standards for
the Professional Practice of
Internal Auditing”

1322 – Disclosure of Non-

conformance

QAIP Guide Page | 233

Standard
Survey Tool Interview Guide Question
References

Planning 2.2.1 2.2.2

Program
Guide 2.3.1 2.3.2 2.3.4 2.3.3 Reference

2000 – Managing the Internal 2.4.3

2.1.4
Audit Activity

2010 – Planning 15,16 18 5,12 1,4 1,4 3,7

2020 – Communication and 16 3,5,12

Approval

2030 – Resource
6,12
Management

2040 – Policies and 17 6

Procedures

2050 – Coordination and

10 7 6
Reliance

2060 – Reporting to Senior

3,5
Management and the Board

2070 – External Service

Provider and Organizational
Responsibility for Internal
Auditing

2100 – Nature of Work 2.1.4 2.4.3

2110 – Governance 17 22 7 5 5 3

2120 – Risk Management 18 20 8,9 6

QAIP Guide Page | 234

Standard
Survey Tool Interview Guide Question
References

Planning 2.2.1 2.2.2

Program
Guide 2.3.1 2.3.2 2.3.4 2.3.3 Reference

2130 – Control 19 19

2200 – Engagement
2.1.4 23 4,8 7 2.4.4
Planning

2201 – Planning
21,22 13,14
Considerations

2210 – Engagement
Objectives

2220 – Engagement Scope

2230 – Engagement Resource

2.1.4 2.4.4
Allocation

2240 – Engagement Work 20 25,26 5

Program

2300 – Performing the 27

2.1.4 8 7 7 2.4.4
Engagement

2310 – Identifying Information 13-14 8 7

2320 – Analysis and

Evaluation

24
2330 – Documenting
Information

2340 – Engagement
Supervision

2410 – Criteria for

QAIP Guide Page | 235

Standard
Survey Tool Interview Guide Question
References

Planning 2.2.1 2.2.2

Program
Guide 2.3.1 2.3.2 2.3.4 2.3.3 Reference

Communicating

23
2420 – Quality of
Communications

2421 – Errors and Omissions

2430 – Use of “Conducted in

Conformance with the
International Standards for the
Professional Practice of
Internal Auditing”

2431 – Engagement
Disclosure of Nonconformance

2440 – Disseminating Results

2450 – Overall Opinions 2.1.4 2.4.3

2500 – Monitoring Progress 2.1.5 8 7 2.4.4

2600 – Communicating the 2.1.4 1 2.4.3

Acceptance of Risks

2.1.2 1,2,4 4,5,21 6 2.4.1

Code of Ethics

QAIP Guide Page | 236

Appendix 2.5 Evaluation Summaries

Appendix 2.5.1 Ratings Definitions

Rating and Definition

GC - "Generally Conforms" means the evaluator has concluded that the relevant structures,
policies, and procedures of the activity, as well as the processes by which they are applied, comply
with the requirements of the individual Standard or element of the Code of Ethics in all material
respects. For the sections and major categories, this means that there is general conformance to
a majority of the individual Standards or elements of the Code of Ethics, and at least partial
conformance to the others, within the section/category. There may be significant opportunities for
improvement, but these must not represent situations where the activity has not implemented the
Standards or the Code of Ethics, has not applied them effectively, or has not achieved their stated
objectives. As indicated above, general conformance does not require complete/perfect
conformance, the ideal situation, "successful practice," etc.
PC - "Partially Conforms" means the evaluator has concluded that the activity is making good-
faith efforts to comply with the requirements of the individual Standard or element of the Code of
Ethics, section, or major category, but falls short of achieving some major objectives. These will
usually represent significant opportunities for improvement in effectively applying the Standards
or Code of Ethics and/or achieving their objectives. Some deficiencies may be beyond the control
of the activity and may result in recommendations to senior management or the Board of the
organization.
DNC - "Does Not Conform" means the evaluator has concluded that the activity is not aware of,
is not making good-faith efforts to comply with, or is failing to achieve many/all of the objectives
of the individual Standard or element of the Code of Ethics, section, or major category. These
deficiencies will usually have a significant negative impact on the activity's effectiveness and its
potential to add value to the organization. These may also represent significant opportunities for
improvement, including actions by senior management or the Board.

QAIP Guide Page | 237

Rating and Definition

N/A -Not Applicable Standard was not applicable to the PSE or instance did not arise.

QAIP Guide Page | 238

Template 2.5.2 Detailed Evaluation Summary

Name of Public Sector Entity: [Insert

Name of PSE here]
Internal Audit Quality Assessment -
Attribute Standards Conformance
Period Covered: dd/mm/yyyy to Rating of Rating Rating of Not
dd/mm/yyyy Generally Partially Conform (DNC)
Conforms Conforms
(GC) (PC)

ATTRIBUTE STANDARDS Assessment Scoring Rationale for Recommendations Comments

Assessment/Curr
ent State

1000 Purpose, Authority and [Insert rationale of [Insert [Insert

Responsibility: the current state recommendations] comments]
The purpose, authority, and assessment]
responsibility of the internal audit
activity must be formally defined in an
internal audit charter, consistent with
the Definition of Internal Auditing, the
Code of Ethics, and the Standards. The
chief audit executive must periodically
review the internal audit charter and
present it to senior management and
the Board for approval.

1000.A1 – The nature of assurance

services provided to the organization
must be defined in the internal audit

QAIP Guide Page | 239

ATTRIBUTE STANDARDS Assessment Scoring Rationale for Recommendations Comments
Assessment/Curr
ent State

charter. If assurances are to be

provided to parties outside the
organization, the nature of these
assurances must also be defined in the
internal audit charter.

1000.C1 – The nature of consulting

must be defined in the internal audit
charter.

1010 Recognition of the Definition [Insert rationale of [Insert [Insert

of Internal Auditing, the the current state recommendations] comments]
Code of Ethics, and the assessment]
Standards in the Internal
Audit Charter - The
mandatory nature of the
Definition of Internal Auditing,
the Code of Ethics, and the
Standards must be recognized
in the internal audit charter.
The chief audit executive
should discuss the Definition of
Internal Auditing, the Code of
Ethics, and the Standards with
senior management and the
Board.
1100 Independence and Objectivity: [Insert rationale of [Insert [Insert
The internal audit activity must be the current state recommendations] comments]
independent, and internal auditors must assessment]
be objective in performing their work.

QAIP Guide Page | 240

ATTRIBUTE STANDARDS Assessment Scoring Rationale for Recommendations Comments
Assessment/Curr
ent State

1110 Organizational [Insert rationale of [Insert [Insert

Independence - The chief the current state recommendations] comments]
audit executive must report to assessment]
a level within the organization
that allows the internal audit
activity to fulfil its
responsibilities. The chief audit
executive must confirm to the
Board, at least annually, the
organizational independence
of the internal audit
activity.1110.A1 – The internal
audit activity must be free from
interference in determining the
scope of internal auditing,
performing work, and
communicating results.
1111 Direct Interaction with the [Insert rationale of [Insert [Insert
Board - The chief audit the current state recommendations] comments]
executive must communicate assessment]
and interact directly with the
Board.
1112 Chief Audit Executive Roles [Insert rationale of [Insert [Insert
Beyond Internal Auditing the current state recommendations] comments]
assessment]

QAIP Guide Page | 241

ATTRIBUTE STANDARDS Assessment Scoring Rationale for Recommendations Comments
Assessment/Curr
ent State

1120 Individual Objectivity: [Insert rationale of [Insert [Insert

Internal auditors must have an the current state recommendations] comments]
impartial, unbiased attitude assessment]
and avoid any conflict of
interest.
1130 Impairments to [Insert rationale of [Insert [Insert
Independence or Objectivity: the current state recommendations] comments]
Impairment to Independence assessment]
or Objectivity - If independence
or objectivity is impaired in fact
or appearance, the details of
the impairment must be
disclosed to appropriate
parties. The nature of the
disclosure will be dependent
upon the impairment.

1130.A1 – Internal auditors

must refrain from assessing
specific operations for which
they were previously
responsible. Objectivity is
presumed to be impaired if an
internal auditor provides
assurance services for an
activity for which the internal
auditor had responsibility
within the previous year.

1130.A2 – Assurance
engagements for functions

QAIP Guide Page | 242

ATTRIBUTE STANDARDS Assessment Scoring Rationale for Recommendations Comments
Assessment/Curr
ent State

over which the chief audit

executive has responsibility
must be overseen by a party
outside the internal audit
activity.

1130.C1 – Internal auditors

may provide consulting
services relating to operations
for which they had previous
responsibilities.

1130.C2 – If internal auditors

have potential impairments to
independence or objectivity
relating to proposed consulting
services, disclosure must be
made to the engagement client
prior to accepting the
engagement.
1200 Proficiency and Due Professional [Insert rationale of [Insert [Insert
Care: Engagements must be the current state recommendations] comments]
performed with proficiency and due assessment]
professional care

QAIP Guide Page | 243

1210 Proficiency: [Insert rationale of [Insert [Insert
Internal auditors must possess the current state recommendations] comments]
the knowledge, skills, and assessment]
other competencies needed to
perform their individual
responsibilities. The internal
audit activity collectively must
possess or obtain the
knowledge, skills, and other
competencies needed to
perform its responsibilities.

1210.A1 – The chief audit

executive must obtain
competent advice and
assistance if the internal
auditors lack the knowledge,
skills, or other competencies
needed to perform all or part of
the engagement.

1210.A2 – Internal auditors

must have sufficient
knowledge to evaluate the risk
of fraud and the manner in
which it is managed by the
organization, but are not
expected to have the expertise
of a person whose primary
responsibility is detecting and
investigating fraud.

1210.A3 – Internal auditors

must have sufficient
knowledge of key information
technology risks and controls

QAIP Guide Page | 244

and available technology-
based audit techniques to
perform their assigned work.
However, not all internal
auditors are expected to have
the expertise of an internal
auditor whose primary
responsibility is information
technology auditing.

1210.C1 – The chief audit

executive must decline the
consulting engagement or
obtain competent advice and
assistance if the internal
auditors lack the knowledge,
skills, or other competencies
needed to perform all or part of
the engagement.

QAIP Guide Page | 245

ATTRIBUTE STANDARDS Assessment Scoring Rationale for Recommendations Comments
Assessment/Curr
ent State

1220 Due Professional Care: [Insert rationale of [Insert [Insert

Internal auditors must apply the current state recommendations] comments]
the care and skill expected of a assessment]
reasonably prudent and
competent internal auditor.
Due professional care does not
imply infallibility.1220.A1 –
Internal auditors must exercise
due professional care by
considering the:• Extent of
work needed to achieve the
engagement’s objectives;•
Relative complexity,
materiality, or significance of
matters to which assurance
procedures are applied;•
Adequacy and effectiveness of
governance, risk management,
and control processes;•
Probability of significant errors,
fraud, or nonconformance;
and• Cost of assurance in
relation to potential
benefits.1220.A2 – In
exercising due professional
care the internal auditor must
consider the use of
technology-based audit and
other data analysis
techniques.1220.A3 – Internal
auditors must be alert to the

QAIP Guide Page | 246

ATTRIBUTE STANDARDS Assessment Scoring Rationale for Recommendations Comments
Assessment/Curr
ent State

significant risks that might

affect objectives, operations, or
resources. However,
assurance procedures alone,
even when performed with due
professional care, do not
guarantee that all significant
risks will be identified.1220.C1
– Internal auditors must
exercise due professional care
during a consulting
engagement by considering
the:• Needs and expectations
of clients, including the nature,
timing, and communication of
engagement results; • Relative
complexity and extent of work
needed to achieve the
engagement’s objectives; and•
Cost of the consulting
engagement in relation to
potential benefits.
1230 Continuing Professional [Insert rationale of [Insert [Insert
Development: the current state recommendations] comments]
Internal auditors must enhance assessment]
their knowledge, skills, and
other competencies through
continuing professional
development.

QAIP Guide Page | 247

ATTRIBUTE STANDARDS Assessment Scoring Rationale for Recommendations Comments
Assessment/Curr
ent State

1300 Quality Assurance and Improvement [Insert rationale of [Insert [Insert

Program: the current state recommendations] comments]
The chief audit executive must develop assessment]
and maintain a quality assurance and
improvement program that covers all
aspects of the internal audit activity.

1310 Requirements of the Quality [Insert rationale of [Insert [Insert

Assurance and Improvement the current state recommendations] comments]
Program:The quality assessment]
assurance and improvement
program must include both
internal and external
assessments.
1311 Internal Assessments: [Insert rationale of [Insert [Insert
Internal assessments must the current state recommendations] comments]
include: assessment]
• Ongoing monitoring of the
performance of the internal
audit activity; and
• Periodic reviews performed
through self-assessment or by
other persons within the
organization with sufficient
knowledge of internal audit
practices.

QAIP Guide Page | 248

ATTRIBUTE STANDARDS Assessment Scoring Rationale for Recommendations Comments
Assessment/Curr
ent State

1312 External Assessments: * [Insert rationale of [Insert [Insert

External assessments must be the current state recommendations] comments]
conducted at least once every assessment]
five years by a qualified,
independent reviewer or
review team from outside the
organization. The chief audit
executive must discuss with
the Board:
• The need for more frequent
external assessments; and
• The qualifications and
independence of the external
reviewer or review team,
including any potential conflict
of interest.
1320 Reporting on the Quality [Insert rationale of [Insert [Insert
Program: the current state recommendations] comments]
The chief audit executive assessment]
should communicate the
results of external
assessments to the Board.
1321 Use of “Conforms with the [Insert rationale of [Insert [Insert
International Standards for the current state recommendations] comments]
the Professional Practice of assessment]
Internal Auditing:"
The chief audit executive may
state that the internal audit
activity conforms with the
International Standards for the
Professional Practice of

QAIP Guide Page | 249

ATTRIBUTE STANDARDS Assessment Scoring Rationale for Recommendations Comments
Assessment/Curr
ent State

Internal Auditing only if the

results of the quality assurance
and improvement program
support this statement.

1322 Disclosure of [Insert rationale of [Insert [Insert

Nonconformance:When the current state recommendations] comments]
nonconformance with the assessment]
Definition of Internal Auditing,
the Code of Ethics, or the
Standards impacts the overall
scope or operation of the
internal audit activity, the chief
audit executive must disclose
the nonconformance and the
impact to senior management
and the Board.
2000 Managing the Internal Audit Activity: [Insert rationale of [Insert [Insert
The chief audit executive must the current state recommendations] comments]
effectively manage the internal audit assessment]
activity to ensure it adds value to the
organization.

QAIP Guide Page | 250

ATTRIBUTE STANDARDS Assessment Scoring Rationale for Recommendations Comments
Assessment/Curr
ent State

2010 Planning - The chief audit [Insert rationale of [Insert [Insert

executive must establish risk- the current state recommendations] comments]
based plans to determine the assessment]
priorities of the internal audit
activity, consistent with the
organization’s goals.

2010.A1 – The internal audit

activity’s plan of engagements
must be based on a
documented risk assessment,
undertaken at least annually.
The input of senior
management and the Board
must be considered in this
process.

2010.A2 – The chief audit

executive must identify and
consider the expectations of
senior management, the
Board, and other stakeholders
for internal audit opinions and
other conclusions.

2010.C1 – The chief audit

executive should consider
accepting proposed consulting
engagements based on the
engagement’s potential to
improve management of risks,

QAIP Guide Page | 251

ATTRIBUTE STANDARDS Assessment Scoring Rationale for Recommendations Comments
Assessment/Curr
ent State

add value, and improve the

organization’s operations.
Accepted engagements must
be included in the plan.

2020 Communication and [Insert rationale of [Insert [Insert

Approval:The chief audit the current state recommendations] comments]
executive must communicate assessment]
the internal audit activity’s
plans and resource
requirements, including
significant interim changes, to
senior management and the

QAIP Guide Page | 252

ATTRIBUTE STANDARDS Assessment Scoring Rationale for Recommendations Comments
Assessment/Curr
ent State

Board for review and approval.

The chief audit executive must
also communicate the impact
of resource limitations

2030 Resource Management: [Insert rationale of [Insert [Insert

The chief audit executive must the current state recommendations] comments]
ensure that internal audit assessment]
resources are appropriate,
sufficient, and effectively
deployed to achieve the
approved plan.
2040 Policies and Procedures: [Insert rationale of [Insert [Insert
The chief audit executive must the current state recommendations] comments]
establish policies and assessment]
procedures to guide the
internal audit activity.
2050 Coordination: [Insert rationale of [Insert [Insert
The chief audit executive the current state recommendations] comments]
should share information and assessment]
coordinate activities with other
internal and external providers
of assurance and consulting
services to ensure proper
coverage and minimize
duplication of efforts.

QAIP Guide Page | 253

ATTRIBUTE STANDARDS Assessment Scoring Rationale for Recommendations Comments
Assessment/Curr
ent State

2060 Reporting to Senior [Insert rationale of [Insert [Insert

Management and the Board: the current state recommendations] comments]
The chief audit executive must assessment]
report periodically to senior
management and the Board on
the internal audit activity’s
purpose, authority,
responsibility, and
performance relative to its
plan. Reporting must also
include significant risk
exposures and control issues,
including fraud risks,
governance issues, and other
matters needed or requested
by senior management and the
Board.
2070 External Service Provider [Insert rationale of [Insert [Insert
and Organizational the current state recommendations] comments]
Responsibility for Internal assessment]
Auditing: When an external
service provider serves as the
internal audit activity, the
provider must make the
organization aware that the
organization has the
responsibility for maintaining
an effective internal audit
activity.

QAIP Guide Page | 254

ATTRIBUTE STANDARDS Assessment Scoring Rationale for Recommendations Comments
Assessment/Curr
ent State

2100 Nature of Work: [Insert rationale of [Insert [Insert

The internal audit activity must evaluate the current state recommendations] comments]
and contribute to the improvement of assessment]
governance, risk management, and
control processes using a systematic
and disciplined approach.

QAIP Guide Page | 255

ATTRIBUTE STANDARDS Assessment Scoring Rationale for Recommendations Comments
Assessment/Curr
ent State

2110 Governance: [Insert rationale of [Insert [Insert

The internal audit activity must the current state recommendations] comments]
assess and make appropriate assessment]
recommendations for
improving the governance
process in its accomplishment
of the following objectives:
• Promoting appropriate ethics
and values within the
organization;
• Ensuring effective
organizational performance
management and
accountability;
• Communicating risk and
control information to
appropriate areas of the
organization; and
• Coordinating the activities of
and communicating
information among the Board,
external and internal auditors,
and management.

2110.A1 – The internal audit

activity must evaluate the
design, implementation, and
effectiveness of the
organization’s ethics-related
objectives, programs, and
activities.

QAIP Guide Page | 256

ATTRIBUTE STANDARDS Assessment Scoring Rationale for Recommendations Comments
Assessment/Curr
ent State

2110.A2 – The internal audit

activity must assess whether
the information technology
governance of the organization
supports the organization’s
strategies and objectives.

QAIP Guide Page | 257

2120 Risk Management:The [Insert rationale of [Insert [Insert
internal audit activity must the current state recommendations] comments]
evaluate the effectiveness and assessment]
contribute to the improvement
of the risk management
processes.2120.A1 – The
internal audit activity must
evaluate risk exposures
relating to the organization’s
governance, operations, and
information systems regarding
the:• Reliability and integrity of
financial and operational
information; • Effectiveness
and efficiency of operations
and programs;• Safeguarding
of assets; and• Conformance
with laws, regulations, policies,
procedures, and
contracts.2120.A2 – The
internal audit activity must
evaluate the potential for the
occurrence of fraud and how
the organization manages
fraud risk.2120.C1 – During
consulting engagements,
internal auditors must address
risk consistent with the
engagement’s objectives and
be alert to the existence of
other significant risks.2120.C2
– Internal auditors must
incorporate knowledge of risks
gained from consulting
engagements into their
evaluation of the organization’s

QAIP Guide Page | 258

risk management
processes.2120.C3 – When
assisting management in
establishing or improving risk
management processes,
internal auditors must refrain
from assuming any
management responsibility by
actually managing risks.

QAIP Guide Page | 259

ATTRIBUTE STANDARDS Assessment Scoring Rationale for Recommendations Comments
Assessment/Curr
ent State

2130 Control:The internal audit [Insert rationale of [Insert [Insert

activity must assist the the current state recommendations] comments]
organization in maintaining assessment]
effective controls by evaluating
their effectiveness and
efficiency and by promoting
continuous
improvement.2130.A1 – The
internal audit activity must
evaluate the adequacy and
effectiveness of controls in
responding to risks within the
organization’s governance,
operations, and information
systems regarding the:•
Reliability and integrity of
financial and operational
information;• Effectiveness and
efficiency of operations and
programs;• Safeguarding of
assets; and• Compliance with
laws, regulations, policies,
procedures, and
contracts.2130.C1 – Internal
auditors must incorporate
knowledge of controls gained
from consulting engagements
into evaluation of the
organization's control
processes.

QAIP Guide Page | 260

QAIP Guide Page | 261
Name of PSE: [ Insert Name of PSE ]
Internal Audit Quality Assessment - Performance Standards Conformance Rating of Rating of Rating of 0
2= 1= =
Generally Partially Does Not
Conforms Conforms Conform
(GC) (PC) (DNC)
Period Covered: dd/mm/yyyy to dd/mm/yyyy

PERFORMANCE STANDARDS Overall Rationale for Recommendation Comments

Rating Assessment/
Current
State
2200 Engagement Planning: [Insert [Insert [Insert
Internal auditors must develop and rationale of recommendations] comments]
document a plan for each engagement, the current
including the engagement’s objectives, state
scope, timing and resource allocations. assessment]

QAIP Guide Page | 262

PERFORMANCE STANDARDS Overall Rationale for Recommendation Comments
Rating Assessment/
Current
State
2201 Planning [Insert [Insert [Insert
Considerations: rationale of recommendations] comments]
In planning the the current
engagement, internal state
auditors must consider: assessment]
• The objectives of the
activity being reviewed
and the means by which
the activity controls its
performance;
• The significant risks to
the activity, its
objectives, resources,
and operations and the
means by which the
potential impact of risk is
kept to an acceptable
level;
• The adequacy and
effectiveness of the
activity’s risk
management and control
processes compared to
a relevant control
framework or model; and
• The opportunities for
making significant
improvements to the
activity’s risk
management and control
processes.

QAIP Guide Page | 263

PERFORMANCE STANDARDS Overall Rationale for Recommendation Comments
Rating Assessment/
Current
State
2201.A1 – When
planning an engagement
for parties outside the
organization, internal
auditors must establish a
written understanding
with them about
objectives, scope,
respective
responsibilities and other
expectations, including
restrictions on
distribution of the results
of the engagement and
access to engagement
records.

2201.C1 – Internal
auditors must establish
an understanding with
consulting engagement
clients about objectives,
scope, respective
responsibilities, and
other client expectations.
For significant
engagements, this
understanding must be
documented.

QAIP Guide Page | 264

PERFORMANCE STANDARDS Overall Rationale for Recommendation Comments
Rating Assessment/
Current
State
2210 Engagement [Insert [Insert [Insert
Objectives: rationale of recommendations] comments]
Objectives must be the current
established for each state
engagement. assessment]

2210.A1 – Internal
auditors must conduct a
preliminary assessment
of the risks relevant to
the activity under review.
Engagement objectives
must reflect the results of
this assessment.

2210.A2 – Internal
auditors must consider
the probability of
significant errors, fraud,
noncompliance, and
other exposures when
developing the
engagement objectives.

2210.A3 – Adequate
criteria are needed to
evaluate controls.
Internal auditors must
ascertain the extent to
which management has
established adequate
criteria to determine

QAIP Guide Page | 265

PERFORMANCE STANDARDS Overall Rationale for Recommendation Comments
Rating Assessment/
Current
State
whether objectives and
goals have been
accomplished. If
adequate, internal
auditors must use such
criteria in their
evaluation. If
inadequate, internal
auditors must work with
management to develop
appropriate evaluation
criteria.

2210.C1 – Consulting
engagement objectives
must address
governance, risk
management, and
control processes to the
extent agreed upon with
the client.

2210.C2 - Consulting
engagement objectives
must be consistent with
the organization's
values, strategies, and
objectives.

QAIP Guide Page | 266

PERFORMANCE STANDARDS Overall Rationale for Recommendation Comments
Rating Assessment/
Current
State
2220 Engagement Scope: [Insert [Insert [Insert
The established scope rationale of recommendations] comments]
must be sufficient to the current
satisfy the objectives of state
the assessment]
engagement.2220.A1 –
The scope of the
engagement must
include consideration of
relevant systems,
records, personnel, and
physical properties,
including those under the
control of third
parties.2220.A2 – If
significant consulting
opportunities arise
during an assurance
engagement, a specific
written understanding as
to the objectives, scope,
respective
responsibilities, and
other expectations
should be reached and
the results of the
consulting engagement
communicated in
accordance with
consulting
standards.2220.C1 – In
performing consulting

QAIP Guide Page | 267

PERFORMANCE STANDARDS Overall Rationale for Recommendation Comments
Rating Assessment/
Current
State
engagements, internal
auditors must ensure
that the scope of the
engagement is sufficient
to address the agreed-
upon objectives. If
internal auditors develop
reservations about the
scope during the
engagement, these
reservations must be
discussed with the client
to determine whether to
continue with the
engagement.2220.C2 -
During consulting
engagements, internal
auditors must address
controls consistent with
the engagement's
objectives and be alert to
significant control issues.
2230 Engagement Resource [Insert [Insert [Insert
Allocation: rationale of recommendations] comments]
Internal auditors must the current
determine appropriate state
and sufficient resources assessment]
to achieve engagement
objectives based on an
evaluation of the nature
and complexity of each
engagement, time

QAIP Guide Page | 268

PERFORMANCE STANDARDS Overall Rationale for Recommendation Comments
Rating Assessment/
Current
State
constraints, and
available resources.

2240 Engagement Work [Insert [Insert [Insert

Program: rationale of recommendations] comments]
Internal auditors must the current
develop and document state
work programs that assessment]
achieve the engagement
objectives.

2240.A1 – Work
programs must include
the procedures for
identifying, analyzing,
evaluating, and
documenting information
during the engagement.
The work program must
be approved prior to its
implementation, and any
adjustments approved
promptly.

2240.C1 – Work
programs for consulting
engagements may vary
in form and content
depending upon the

QAIP Guide Page | 269

PERFORMANCE STANDARDS Overall Rationale for Recommendation Comments
Rating Assessment/
Current
State
nature of the
engagement.

2300 Performing the Engagement: [Insert [Insert [Insert

Internal auditors must identify, analyze, rationale of recommendations] comments]
evaluate, and document sufficient the current
information to achieve the engagement’s state
objectives. assessment]
2310 Identifying Information: [Insert [Insert [Insert
Internal auditors must rationale of recommendations] comments]
identify sufficient, the current
reliable, relevant, and state
useful information to assessment]
achieve the
engagement’s
objectives.
2320 Analysis and [Insert [Insert [Insert
Evaluation: rationale of recommendations] comments]
Internal auditors must the current
base conclusions and state
engagement results on assessment]
appropriate analyses
and evaluations.

QAIP Guide Page | 270

PERFORMANCE STANDARDS Overall Rationale for Recommendation Comments
Rating Assessment/
Current
State
2330 Documenting [Insert [Insert [Insert
Information:Internal rationale of recommendations] comments]
auditors must document the current
relevant information to state
support the conclusions assessment]
and engagement
results.2330.A1 – The
chief audit executive
must control access to
engagement records.
The chief audit executive
must obtain the approval
of senior management
and/or legal counsel
prior to releasing such
records to external
parties, as
appropriate.2330.A2 –
The chief audit executive
must develop retention
requirements for
engagement records,
regardless of the
medium in which each
record is stored. These
retention requirements
must be consistent with
the organization’s
guidelines and any
pertinent regulatory or
other
requirements.2330.C1 –

QAIP Guide Page | 271

PERFORMANCE STANDARDS Overall Rationale for Recommendation Comments
Rating Assessment/
Current
State
The chief audit executive
must develop policies
governing the custody
and retention of
consulting engagement
records, as well as their
release to internal and
external parties. These
policies must be
consistent with the
organization’s guidelines
and any pertinent
regulatory or other
requirements.

2340 Engagement [Insert [Insert [Insert

Supervision: rationale of recommendations] comments]
Engagements must be the current
properly supervised to state
ensure objectives are assessment]
achieved, quality is
assured, and staff is
developed.
2400 Communicating Results: [Insert [Insert [Insert
Internal auditors must communicate the rationale of recommendations] comments]
results of engagements. the current
state
assessment]

QAIP Guide Page | 272

PERFORMANCE STANDARDS Overall Rationale for Recommendation Comments
Rating Assessment/
Current
State
2410 Criteria for [Insert [Insert [Insert
Communicating: rationale of recommendations] comments]
Communications must the current
include the state
engagement’s objectives assessment]
and scope as well as
applicable conclusions,
recommendations, and
action plans.

2410.A1 – Final
communication of
engagement results
must, where appropriate,
contain the internal
auditors’ opinion and/or
conclusions. When
issued, an opinion or
conclusion must take
account of the
expectations of senior
management, the Board,
and other stakeholders
and must be supported
by sufficient, reliable,
relevant, and useful
information.

2410.A2 – Internal
auditors are encouraged
to acknowledge
satisfactory performance

QAIP Guide Page | 273

PERFORMANCE STANDARDS Overall Rationale for Recommendation Comments
Rating Assessment/
Current
State
in engagement
communications.

2410.A3 – When
releasing engagement
results to parties outside
the organization, the
communication must
include limitations on
distribution and use of
the results.

2410.C1 –
Communication of the
progress and results of
consulting engagements
will vary in form and
content depending upon
the nature of the
engagement and the
needs of the client.
2420 Quality of [Insert [Insert [Insert
Communications: rationale of recommendations] comments]
Communications must the current
be accurate, objective, state
clear, concise, assessment]
constructive, complete,
and timely.
2421 Errors and Omissions: [Insert [Insert [Insert
If a final communication rationale of recommendations] comments]
contains a significant the current
error or omission, the

QAIP Guide Page | 274

PERFORMANCE STANDARDS Overall Rationale for Recommendation Comments
Rating Assessment/
Current
State
chief audit executive state
must communicate assessment]
corrected information to
all parties who received
the original
communication.
2430 Use of “Conducted in [Insert [Insert [Insert
conformance with the rationale of recommendations] comments]
International Standards the current
for the Professional state
Practice of Internal assessment]
Auditing:”
Internal auditors may
report that their
engagements are
“conducted in
conformance with the
International Standards
for the Professional
Practice of Internal
Auditing,” only if the
results of the quality
assurance and
improvement program
support the statement.

QAIP Guide Page | 275

PERFORMANCE STANDARDS Overall Rationale for Recommendation Comments
Rating Assessment/
Current
State
2431 Engagement [Insert [Insert [Insert
Disclosure of rationale of recommendations] comments]]
Nonconformance:When the current
nonconformance with the state
Definition of Internal assessment]
Auditing, the Code of
Ethics, or the Standards
impacts a specific
engagement,
communication of the
engagement results
must disclose the:•
Principle or rule of
conduct of the Code of
Ethics or Standard(s)
with which full
conformance was not
achieved;• Reason(s) for
nonconformance; and•
Impact of
nonconformance on the
engagement and the
communicated
engagement results.

QAIP Guide Page | 276

PERFORMANCE STANDARDS Overall Rationale for Recommendation Comments
Rating Assessment/
Current
State
2440 Disseminating Results: [Insert [Insert [Insert
The chief audit executive rationale of recommendations] comments]
must communicate the current
results to the appropriate state
parties. assessment]

2440.A1 – The chief

audit executive is
responsible for
communicating the final
results to parties who
can ensure that the
results are given due
consideration.

2440.A2 – If not
otherwise mandated by
legal, statutory, or
regulatory requirements,
prior to releasing results
to parties outside the
organization, the chief
audit executive must:
• Assess the potential
risk to the organization;
• Consult with senior
management and/or
legal counsel as
appropriate; and
• Control dissemination
by restricting the use of
the results.

QAIP Guide Page | 277

PERFORMANCE STANDARDS Overall Rationale for Recommendation Comments
Rating Assessment/
Current
State

2440.C1 – The chief

audit executive is
responsible for
communicating the final
results of consulting
engagements to clients.

2440.C2 – During
consulting engagements,
governance, risk
management, and
control issues may be
identified. Whenever
these issues are
significant to the
organization, they must
be communicated to
senior management and
the Board.

2450 Overall Opinions: [Insert [Insert [Insert

When an overall opinion rationale of recommendations] comments]]
is issues, it must take the current
into account the state
expectation of senior assessment]
management, the Board,
and other stakeholders
and must be supported
by sufficient, reliable,
relevant, and useful
information.

QAIP Guide Page | 278

PERFORMANCE STANDARDS Overall Rationale for Recommendation Comments
Rating Assessment/
Current
State
2500 Monitoring Progress: [Insert [Insert [Insert
The chief audit executive must establish rationale of recommendations] comments]
and maintain a system to monitor the the current
disposition of results communicated to state
management. assessment]

2500.A1 – The chief audit executive must

establish a follow-up process to monitor
and ensure that management actions have
been effectively implemented or that senior
management has accepted the risk of not
taking action.

2500.C1 – The internal audit activity must

monitor the disposition of results of
consulting engagements to the extent
agreed upon with the client.
2600 Resolution of Senior Management’s [Insert [Insert [Insert
Acceptance of Risks: rationale of recommendations] comments]
When the chief audit executive believes the current
that senior management has accepted a state
level of residual risk that may be assessment]
unacceptable to the organization, the chief
audit executive must discuss the matter
with senior management. If the decision
regarding residual risk is not resolved, the
chief audit executive must report the
matter to the Board for resolution.
3000 Code of Ethics [Insert [Insert [Insert
rationale of recommendations] comments]
the current

QAIP Guide Page | 279

PERFORMANCE STANDARDS Overall Rationale for Recommendation Comments
Rating Assessment/
Current
State
state
assessment]
3010 Integrity - Internal [Insert [Insert [Insert
Auditors: rationale of recommendations] comments]
The integrity of internal the current
auditors establishes trust state
and thus provides the assessment]
basis for reliance on their
judgment.
3020 Objectivity - Internal [Insert [Insert [Insert
Auditors: rationale of recommendations] comments]]
Internal auditors exhibit the current
high levels of state
professional objectivity in assessment]
gathering, evaluating,
and communicating
information about the
activity or process being
examined. Internal
auditors make a
balanced assessment of
the relevant
circumstances and are
not unduly influenced by
their own interests or by
others in forming
judgments.
3030 Confidentiality - [Insert [Insert [Insert
Internal rationale of recommendations] comments]
Auditors:Internal the current
auditors respect the

QAIP Guide Page | 280

PERFORMANCE STANDARDS Overall Rationale for Recommendation Comments
Rating Assessment/
Current
State
value and ownership of state
information they receive assessment]
and do not disclose
information without
appropriate authority
unless there is a legal or
professional obligation to
do so.

QAIP Guide Page | 281

Template 2.5.3 Evaluation Summary

Name of PSE: [ Insert Name of the PSE] Assessment

Internal Audit Quality Assessment - Overall
Conformance Level GC
Period Covered: dd/mm/yyyy to dd/mm/yyyy PC
DNC

IIA Standard Overall Assessment

1000 – Purpose, Authority, and Responsibility
1010 – Recognizing Mandatory Guidance in
the Internal Audit Charter
1100 – Independence and Objectivity
1110 – Organisational Independence
1111 – Direct Interaction with the Board
1112 – Chief Audit Executive Roles Beyond
Internal Auditing
1120 – Individual Objectivity
1130 – Impairments to Independence or
Objectivity
1200 – Proficiency and Due Professional Care
1210 – Proficiency
1220 – Due Professional Care
1230 – Continuing Professional Development
1300 – Quality Assurance and Improvement
Program
1310 – Requirements of the Quality Assurance
and Improvement Program
1311 – Internal Assessments
1312 – External Assessments
1320 – Reporting on the Quality Assurance
and Improvement Programme
1321 - Use of Conforms with the International
Standards for the Professional Practice of Internal
Auditing
1322 - Disclosure of non-conformance
2000 – Managing the Internal Audit Activity
2010 – Planning
2020 – Communication and Approval
2030 – Resource Management
2040 – Policies and Procedures
2050 – Coordination and Reliance
2060 – Reporting to Senior Management and
the Board
QAIP Guide Page | 282
2070 – External Service Provider and
Organisational Responsibility for Internal Audit
2100 – Nature of Work
2110 – Governance
2120 – Risk Management
2130 – Control
2200 – Engagement Planning
2201 – Planning Considerations
2210 – Engagement Objectives
2220 – Engagement Scope
2230 – Engagement Resource Allocation
2240 – Engagement Work Program
2300 – Performing the Engagement
2310 – Identifying Information
2320 – Analysis and Evaluation
2330 – Documenting Information
2340 – Engagement Supervision
2400 – Communicating Results
2410 – Criteria for Communicating
2420 – Quality of Communications
2421 – Errors and Omissions
2430 – Use of “Conducted in Conformance
with the International Standards for the Professional
Practice of Internal Auditing”
2431 – Engagement Disclosure of Non-
conformance
2440 – Disseminating Results
2450 – Overall Opinions
2500 – Monitoring Progress
2600 – Resolution of Senior Management’s
Acceptance of Risks
3000 - Code of Ethics
3010 - Integrity - Internal Auditor
3020 - Objectivity - Internal Auditors
3030 - Confidentiality - Internal Auditors

QAIP Guide Page | 283

Appendix 2.6 Ongoing Monitoring Review Questions

# Ongoing Monitoring Review Question Yes/No Opportunity for

Improvement
A Engagement Planning (IIA 2200)
i) Does the CAE consider the nature and complexity
of the engagements when appointing the internal
audit teams?
ii) Does the CAE and the internal audit teams hold
the first team meetings to discuss the objectives,
scope and timing of the internal audit
engagements?
iii) Do all internal audit team members declare their
individual independence with respect to the audit
area by completing the Conflict-of-Interest
Declaration Forms?
iv) Are engagement specific Key Performance
Indicators (KPIs) developed such as execution
timelines, cost budgets, effort (days) for each
engagement team member, quality of
engagement, use of innovative techniques (e.g.,
data analytics) etc.
v) Do the internal audit teams identify the tentative
engagement objectives as set in the audit plans or
the terms of reference where the engagements
are request from senior management or Audit
Committees?
vi) Does the CAE issue engagement letters to the
auditees communicating amongst others, the
objectives, scope and timing of the engagement?

QAIP Guide Page | 284

# Ongoing Monitoring Review Question Yes/No Opportunity for
Improvement
vii) Are entrance meetings conducted with the
auditees’ management to discuss amongst others,
the objectives, scope and timing of the
engagements?
Are auditees’ concerns incorporated into the
engagement objectives and scope after the
entrance meetings?
viii) Do internal audit teams obtain and document in-
depth understanding of the auditees’ business,
processes objectives, related risks and controls,
and identify specific audit objectives?
ix) Are processes narrative notes documented and
referenced to the criteria?
x) Are controls design adequacy evaluated and
documented in RCM?
xi Are there opportunities for making significant
improvements to the activity’s risk management
and control process
xii Does the consideration of the relevant system,
record, personnel, and physical properties include
those under controls of the third parties?
xiii Do the audit objectives emanate from the result of
preliminary risk and control assessment
xiv Are the contents of audit programs validated
discussed with the auditees before finalization?
xv Are walkthrough tests conducted on controls
evaluated as adequately designed prior to testing
their operating effectiveness?

QAIP Guide Page | 285

# Ongoing Monitoring Review Question Yes/No Opportunity for
Improvement
xvi Are engagement plans summarizing the
engagement background, objectives, scope, risks,
audit criteria and audit approach completed and
signed off by the CAE?
xvii Are detailed engagement work programs aligned
with the engagement objectives completed and
signed off by the CAE?
xviii Are standardized templates used to document all
the engagement procedures?
B Performing the Engagement (IIA 2300)
i) Is sufficient, reliable, relevant, and useful
information identified, in line with the engagement
work programs and engagement’s objectives?
ii) Where items for testing are sampled, are the
appropriate sampling techniques applied and
documented as appropriate?
iii) Are testing procedures executed according to the
approved engagement work programs?
iv) Was testing conducted on the exceptions noted
from big data analysis as appropriate?
v) Were all key controls tested for its adequacy and
effectiveness?
vi) Do audit findings include ratings to differentiate
their significance based on a pre-defined criteria?
vii) Are root cause analysis conducted for all the audit
findings in collaboration with the auditees’
management?

QAIP Guide Page | 286

# Ongoing Monitoring Review Question Yes/No Opportunity for
Improvement
viii) Were all review notes cleared before audit
finalization?
ix) Were the working papers properly crossed
referenced to the audit program and report?
C Communicating Results (IIA 2400)
i) Are engagement reports prepared and properly
communicated for each audit engagement?
ii) Do engagement reports include the engagements’
objectives, scope and results?
iii) Are the engagement reports accurate, objective,
clear, concise, constructive, complete and timely?
iv) Do quarterly reports communicate high risk
findings from the engagement reports?
v) Are quarterly reports discussed in the Board?
vi) Is the interim communication made based on: -
i) Information that requires immediate attention?
ii) Change in engagement objectives as
appropriate?
iii) Change in scope as appropriate?
iv) Keeping management informed on
engagement progress when engagement extends
over a long period of time?
v) Informing management on significant matters
not related to engagement?
vi) Are standardized templates used in
communicating results?

QAIP Guide Page | 287

# Ongoing Monitoring Review Question Yes/No Opportunity for
Improvement
D Monitoring Progress (IIA 2500)
i) Has the CAE established and maintained a
monitoring system in the Internal Audit Manual?
ii) Does the internal audit activity conduct
monitoring/follow up audits on a quarterly basis
and issue a monitoring report?
iii) Does the internal audit activity have a monitoring
tool/ tracker for evaluating the disposition of the
audit findings and their aging?
E Overall
i) Are all engagement working papers signed off by
the preparer and reviewer?
ii) Have all working papers been put together in a soft
or hard copy file in a chronological order according
to engagement working paper file index?
iii) Have the engagements KPIs been evaluated by
comparing the set targets against the actual
outcomes?
iv) Have the internal audit teams received auditees
feedback surveys and incorporated the
improvement feedback in the QAIP monitoring
tracker?
v) Does CAE conduct monthly meetings to conduct
internal audit work … check minutes
vi) Does QAIP report planned work vs implemented
vii) Does the accounting officer have a template
evaluate the work of the internal audit unit?

QAIP Guide Page | 288

Appendix 2.7 Sample Reporting Tools

Template 2.7.1 Sample Reporting Outline for Periodic Self-Assessment

Table of Contents
Abbreviations and Acronyms
Chapter 1: Introduction
1.1 About the PSE
1.2 Background to the Quality Assessment
1.3 Objectives and Scope
1.3.1. Objectives
1.3.2. Scope
Chapter 2 Approach and Methodology to the Assessment
2.1. Planning
2.2. Execution
2.3. Reporting
Chapter 3 Summary of the Assessment Findings
3.1. Positive Internal Audit Practices
3.2. Summary of Gaps to Conformance with Standards or Code of Ethics
3.3. Opportunities for Improvement
3.4. Opinion as to Conformance with the Standards and Code of Ethics
Chapter 4 Detailed Findings and Recommendations
4.1 Internal Audit Governance
4.1.1. Standard 1000 series
4.1.2. Standard 1300 series
4.2 Internal Audit Staff
4.3 Internal Audit Management
4.4. Internal Audit Process
4.5. IIA Code of Ethics
QAIP Guide Page | 289
Appendices
Appendix 1: IIA Standards Conformance
Appendix 2: Detailed Scoring and Rating Matrix
Appendix 3: Engagement Client Files Reviewed
Appendix 4: List of Stakeholders Engaged
Appendix 5: Summary of Interviews and Survey Feedback

QAIP Guide Page | 290

Template 2.7.2 Sample Reporting Outline for a Full External Assessment

QAIP Guide Page | 291

Appendix 1: IIA Standards Conformance
Appendix 2: Detailed Scoring and Rating Matrix
Appendix 3: Engagement Client Files Reviewed
Appendix 4: List of Stakeholders Engaged
Appendix 5: Summary of Interviews and Survey Feedback

QAIP Guide Page | 292

Template 2.7.3 Sample Independent Validation Statement

INDEPENDENT VALIDATION STATEMENT

[Insert name of independent external assessor] was engaged to conduct an independent

validation of [insert the name of the organization] IA self-assessment. The primary
objective of the validation was to verify the assertions and conclusions made in the
attached self-
assessment report concerning adequate fulfillment of the organization’s basic
expectations of IA, its conformity to The IIA’s International Standards for the Professional
Practice of Internal Auditing, and successful internal audit practices and opportunities for
continuous improvement noted. Other matters that might have been covered in a full
external assessment, such as an in-depth analysis of successful practices based on
benchmark data, governance activities, consulting services, and use of advanced
technology, were excluded from the scope of this independent validation by agreement
with the chief audit executive.

In acting as the qualified, independent external assessor from outside the organization,
[Insert name of independent external assessor] is fully independent of [insert the name
of the organization] and has the necessary skills to undertake this engagement. The
validation, concluded on [DATE], 20xx, consisted primarily of a review and a test of the
procedures and results of IA’s self-assessment. In addition, interviews were conducted
with the president and CEO, CFO, Audit Committee chair, other members of senior
management, and the external auditors.

[Insert name of independent external assessor] concurs with IA’s conclusions and
observations documented in the self-assessment report attached. Implementation of the
recommendations contained in the self-assessment report will improve the effectiveness,
enhance the value, and support IA’s conformity with the Standards and the Code of
Ethics.

Name
Independent External Assessor Performing the Validation

Date
QAIP Guide Page | 293
Template 2.7.4 QAIP Monitoring Tool

Name of the PSE: <Name of the PSE>

Internal Audit QAIP Monitoring

Implementation Status
Nature Report Gaps/Weakness Required Remediation Responsible Aging Analysis (If
# [Complete/Ongoing/Not Comments[Closed/Overdue]
of QAIP Date Identified Remediation Date Person not remedited)
Started]

1
2
3
4
5

Status Number Percentage

Ongoing
Not started
Complete

Commented [AJ1]: Can you fix this table so the words fit
better?
Commented [RM2R1]: Now updated

QAIP Guide Page | 294

Practice Guide Quality Assurance and Improvement Program
100% (1)
Practice Guide Quality Assurance and Improvement Program
32 pages
IIA IPPF PG - Quality Assurance and Improvement Program March 2012
No ratings yet
IIA IPPF PG - Quality Assurance and Improvement Program March 2012
29 pages
Quality Assessment Manual Chapter 2
No ratings yet
Quality Assessment Manual Chapter 2
16 pages
Key Performance Indicators
No ratings yet
Key Performance Indicators
2 pages
Lesson 6
No ratings yet
Lesson 6
10 pages
11.2 Appendix B - QAIP
No ratings yet
11.2 Appendix B - QAIP
15 pages
Quality Assessment Manual Chapter 2
No ratings yet
Quality Assessment Manual Chapter 2
16 pages
QAIP Manual2012 Jamaica
100% (1)
QAIP Manual2012 Jamaica
159 pages
Five Key Characteristics of An Effective QAIP
No ratings yet
Five Key Characteristics of An Effective QAIP
2 pages
Pic Paper3 en
No ratings yet
Pic Paper3 en
10 pages
Standards Require Quality Assurance Focus
No ratings yet
Standards Require Quality Assurance Focus
3 pages
Internal Audit QAIP Overview
100% (1)
Internal Audit QAIP Overview
3 pages
Quality Assessment Manual Chapter 1 PDF
100% (2)
Quality Assessment Manual Chapter 1 PDF
8 pages
Internal Audit Quality Framework
100% (3)
Internal Audit Quality Framework
54 pages
Quality Assurance and Improvement Program (Qaip) - General
100% (3)
Quality Assurance and Improvement Program (Qaip) - General
3 pages
Pempal Iacop Quality Assessment Guide Eng
No ratings yet
Pempal Iacop Quality Assessment Guide Eng
106 pages
1 Quality Assessment Manual Chapter 1
100% (3)
1 Quality Assessment Manual Chapter 1
10 pages
Quality Assurance and Improvement Program
100% (2)
Quality Assurance and Improvement Program
12 pages
Quality Assurance and Improvement Program: (QAIP)
No ratings yet
Quality Assurance and Improvement Program: (QAIP)
23 pages
Internal Audit QAIP Guide
100% (2)
Internal Audit QAIP Guide
15 pages
Effective Quality Assurance and Improvement Program 1745559944
No ratings yet
Effective Quality Assurance and Improvement Program 1745559944
2 pages
Internal Audit
100% (1)
Internal Audit
81 pages
Internal Audit Services Quality Assurance & Improvement Programme
100% (2)
Internal Audit Services Quality Assurance & Improvement Programme
3 pages
ISO 9001:2015 Internal Audit Guide
100% (7)
ISO 9001:2015 Internal Audit Guide
11 pages
Dagp Aqmf January 2023
No ratings yet
Dagp Aqmf January 2023
147 pages
Quality Assurance Program Guide
No ratings yet
Quality Assurance Program Guide
15 pages
EPA Manual For Enviornmental Programs
No ratings yet
EPA Manual For Enviornmental Programs
63 pages
Iia Ig - Standard 1310 Requirements of The Quality Assurance and Improvement Program
No ratings yet
Iia Ig - Standard 1310 Requirements of The Quality Assurance and Improvement Program
4 pages
Quality Assurance and Improvement Program Pa - 1300-1-May-2015
No ratings yet
Quality Assurance and Improvement Program Pa - 1300-1-May-2015
1 page
Fall-17 - Session 8 - QAIP
100% (1)
Fall-17 - Session 8 - QAIP
56 pages
Quality Management Systems and Approaches F
No ratings yet
Quality Management Systems and Approaches F
13 pages
Int Aud Chapter 6
No ratings yet
Int Aud Chapter 6
14 pages
Appendix A Internal Audit Quality Assurance and Improvement Programme QAIP 2024-25
No ratings yet
Appendix A Internal Audit Quality Assurance and Improvement Programme QAIP 2024-25
9 pages
DOE Quality Assurance Guide
No ratings yet
DOE Quality Assurance Guide
50 pages
QMS October 2020
No ratings yet
QMS October 2020
219 pages
Quality Assurance Guide
50% (2)
Quality Assurance Guide
8 pages
Quality Assurance Framework Guide
No ratings yet
Quality Assurance Framework Guide
65 pages
Internal Audit Guidance Document
No ratings yet
Internal Audit Guidance Document
3 pages
2017 03 29 - Campbell
No ratings yet
2017 03 29 - Campbell
41 pages
Internal Quality Assurance: Assesment Process & Practice Method
No ratings yet
Internal Quality Assurance: Assesment Process & Practice Method
11 pages
MDSAP AU P0002.005 Audit Approach
No ratings yet
MDSAP AU P0002.005 Audit Approach
215 pages
Quality Assurance for Project Managers
No ratings yet
Quality Assurance for Project Managers
11 pages
Quality Assurance Handbook
No ratings yet
Quality Assurance Handbook
140 pages
Quality Assurance Program
No ratings yet
Quality Assurance Program
3 pages
Code of Practice Self Assessment
No ratings yet
Code of Practice Self Assessment
11 pages
To Quality: Insights
No ratings yet
To Quality: Insights
2 pages
Quality Manual
89% (9)
Quality Manual
38 pages
Who Audits The Auditors Presentation
100% (1)
Who Audits The Auditors Presentation
43 pages
Directive No 1 of 2024
No ratings yet
Directive No 1 of 2024
32 pages
Quality Assurance Board: Annual Report - (2016)
No ratings yet
Quality Assurance Board: Annual Report - (2016)
18 pages
PH1379 APO Production-9001-Surveillance Audit Report 1213-142021 1
No ratings yet
PH1379 APO Production-9001-Surveillance Audit Report 1213-142021 1
11 pages
Internal Audit Function Evaluation - Counties AC
No ratings yet
Internal Audit Function Evaluation - Counties AC
14 pages
CQA Primer 2019 Sample
100% (1)
CQA Primer 2019 Sample
16 pages
ISO 9001 Lead Auditor Course Charts
100% (3)
ISO 9001 Lead Auditor Course Charts
8 pages
MDSAP Audit Approach
100% (1)
MDSAP Audit Approach
226 pages
MDSAP - Audit Approach
100% (1)
MDSAP - Audit Approach
166 pages
Internal Audit Reports
82% (22)
Internal Audit Reports
35 pages
Blower & Vacuum Pump: IRS-32A・IRS-40A・IRS-50H/L・IRS-65H/L IRS-80H/L・IRS-100L・IRS-125R/L・IRS-150R/L
No ratings yet
Blower & Vacuum Pump: IRS-32A・IRS-40A・IRS-50H/L・IRS-65H/L IRS-80H/L・IRS-100L・IRS-125R/L・IRS-150R/L
68 pages
Multiplication&division PDF
No ratings yet
Multiplication&division PDF
2 pages
R3 - To Build A Fire
100% (1)
R3 - To Build A Fire
20 pages
Focus 4 Test 1 GR A
80% (5)
Focus 4 Test 1 GR A
4 pages
International Journal of Non-Linear Mechanics: Chiara Gastaldi, Teresa M. Berruti
No ratings yet
International Journal of Non-Linear Mechanics: Chiara Gastaldi, Teresa M. Berruti
16 pages
Pumpe en 2023 v1
No ratings yet
Pumpe en 2023 v1
12 pages
DLL Speech Style
100% (1)
DLL Speech Style
2 pages
Prac 7
No ratings yet
Prac 7
7 pages
Genetics Practicum Insights
No ratings yet
Genetics Practicum Insights
53 pages
HW 683608 1answe
No ratings yet
HW 683608 1answe
4 pages
P 1515 - Design and Contstruction of Anchored and Strutted Sheet Pile Walls Iin Soft Clay PDF
No ratings yet
P 1515 - Design and Contstruction of Anchored and Strutted Sheet Pile Walls Iin Soft Clay PDF
36 pages
The Yellow World How Fighting For My Life Taught Me How To Live Espinosa Albert Download
No ratings yet
The Yellow World How Fighting For My Life Taught Me How To Live Espinosa Albert Download
35 pages
Statistical Tests - Handout PDF
No ratings yet
Statistical Tests - Handout PDF
21 pages
2015 고등 영어독해와작문 (안병규) 교과서PDF
No ratings yet
2015 고등 영어독해와작문 (안병규) 교과서PDF
184 pages
DM GTU Study Material E-Notes Unit-4 29012022085557AM
No ratings yet
DM GTU Study Material E-Notes Unit-4 29012022085557AM
12 pages
Geographical Data in The Computer-1
No ratings yet
Geographical Data in The Computer-1
36 pages
History of Computers
No ratings yet
History of Computers
12 pages
CONTOH SKRIPSI (Analisa Penempatan Shear Wall)
No ratings yet
CONTOH SKRIPSI (Analisa Penempatan Shear Wall)
61 pages
The Future of Automotive Manufacturing - Integrating AI... For Next-Gen Automatic Cars
No ratings yet
The Future of Automotive Manufacturing - Integrating AI... For Next-Gen Automatic Cars
9 pages
Bhairahawa Engineering and Builders PVT - LTD: Core Contract Documents CLIENT: .
No ratings yet
Bhairahawa Engineering and Builders PVT - LTD: Core Contract Documents CLIENT: .
5 pages
MySQL Backup & Recovery Basics
No ratings yet
MySQL Backup & Recovery Basics
15 pages
iGCSE Biology Study Guide
100% (1)
iGCSE Biology Study Guide
4 pages
Official Transcript of Competencies
No ratings yet
Official Transcript of Competencies
2 pages
Writing Section PYQs
No ratings yet
Writing Section PYQs
28 pages
Studies in The Psychology of Sex, Volume 3 Analysis of The Sexual Impulse Love and Pain The Sexual Impulse in Women by Ellis, Havelock, 1859-1939
100% (3)
Studies in The Psychology of Sex, Volume 3 Analysis of The Sexual Impulse Love and Pain The Sexual Impulse in Women by Ellis, Havelock, 1859-1939
242 pages
Review of Invisalign System
No ratings yet
Review of Invisalign System
13 pages
Principles of Assessment: Prepared By: Julie G. de Guzman Eps - I Science
No ratings yet
Principles of Assessment: Prepared By: Julie G. de Guzman Eps - I Science
25 pages
Semi Detailed Lesson Plan
No ratings yet
Semi Detailed Lesson Plan
4 pages
Automatic Door Solutions Guide
No ratings yet
Automatic Door Solutions Guide
5 pages