OFFICE OF INTERNAL AUDIT INTERNAL AUDIT QUALITY ASSESSMENT Self-Assessment Report Number 11-12 April 1, 2011 Quality Assessment Reviewers William J. Mulcahy, CPA, CIA, MS Sterling Roth, MBA, CPA, CIA Staff Kwabena J. Boakye, Director of Internal Audit Tiffany A. Britt, Internal Auditor 1
CONTENTS EXECUTIVE SUMMARY Opinion as to Conformity to the Standards... 3 Objectives, Scope and Methodology... 3 Observations and Positive Attributes... 4 CONDITIONS AND RECOMMENDATIONS Standard 1000 Purpose, Authority and Responsibility... 5 Standard 1100 Independence and Objectivity... 5 Standard 1200 Proficiency and Due Professional Care... 5 Standard 1300 Quality Assurance and Improvement Program... 5 Standard 2000 Managing the Internal Audit Activity... 6 Standard 2100 Nature of Work... 6 Standard 2200 Engagement Planning... 6 Standard 2300 Performing the Engagement... 6 Standard 2400 Communicating Results... 7 Standard 2500 Monitoring Progress... 7 Standard 2600 Management Acceptance of Risks... 7 IIA Code of Ethics... 7 CONCLUSION Conclusion... 8 2
EXECUTIVE SUMMARY The Georgia Perimeter College Office of Internal Audit conducted a quality assessment (QA) of the internal audit (IA) activity in preparation for validation by an independent assessor. The principal objective of the QA was to assess the IA activity s conformance to The IIA s International Standards for the Professional Practice of Internal Auditing (Standards). The Georgia Perimeter College Office of Internal Audit is staffed with competent professionals, produces quality written reports and is considered a vital partner by the college president and management. The IA activity supports the college president and management in the effective discharge of their responsibilities. The IA activity provides an independent appraisal of financial, operational, and control activities. The IA activity reports on the adequacy of internal controls, the accuracy and propriety of transactions, the extent to which assets are accounted for and safeguarded, and compliance with policies and governmental laws and regulations. In addition, the IA activity provides analysis, recommendations, counsel, and information concerning the college s operational activities reviewed. OPINION AS TO CONFORMITY TO THE STANDARDS In forming an overall opinion on the IA activity s conformance to the Standards, we utilized the opinions delineated in the Quality Assurance Review Manual, as defined below. Generally Conforms - Policies, procedures, and an internal auditing charter existed and were deemed to be in accordance with the Standards. Any deficiencies found in applying the policies, procedures, and charter provisions were deemed minor. Partially Conforms - Policies, procedures, and an internal auditing charter existed, but they were not in complete compliance with the Standards, or significant deficiencies in practice were found that deviated from the Standards. Does Not Conform - Existing policies, procedures, and an internal auditing charter, where present, were deemed not to comply with the Standards, and/or deficiencies in practice were so significant as to seriously impair audit quality. It is our overall opinion that the IA activity generally conforms to the Standards and Code of Ethics. For a detailed list of conformance to individual standards, please see QAR Self-Assessment Document. The QA team identified opportunities for further improvement, details of which are provided in the conditions and recommendations section of this report. OBJECTIVES, SCOPE AND METHODOLOGY As part of the preparation for the QA, the Georgia Perimeter College Office of Internal Audit prepared a self-study document with reference information. We reviewed the IA activity s risk assessment and audit planning processes, audit tools and methodologies, engagement and staff management processes, and a representative sample of the IA activity s work papers and reports for the period July 2010 to date. The QA review s primary objectives were to: (1) determine the IA activity s conformance to the Standards, (2) appraise the quality of the IA activity s operations, and (3) provide recommendations for improving the IA activity s conformance to the Standards. 3
EXECUTIVE SUMMARY OBSERVATIONS AND POSITIVE ATTRIBUTES The Georgia Perimeter College Office of Internal Audit is staffed with two competent personnel who are innovative and understand the IIA Standards. The director of internal audit is progressive and endears to optimize audit resources and implement appropriate audit best practices. Some positive practices and attributes in place are: Audit risk assessment process Electronic work papers audit software Management of college-wide Ethics Hotline system Advisory role on president s policy council Leadership role on president s cabinet Coordination of external audits Continuous professional education Consequently, the conditions and recommendations outlined in the following section are intended to build on this foundation already in place in the IA activity. 4
CONDITIONS AND RECOMMENDATIONS This section contains our observations on the IA s conformance to the Standards. For each category, we cite the Standards and discuss the IA s conformance. For those areas not in complete conformance, we recommend corrective action for implementing the applicable standard. A. 1000 - Purpose, Authority, and Responsibility The purpose, authority, and responsibility of the internal audit activity has been formally defined in the internal audit charter and reviewed periodically for approval by the president of Georgia Perimeter College and the Chief Audit Officer at the Board of Regents (BOR) of the University System of Georgia. The IA activity generally conforms to this standard. B. 1100 - Independence and Objectivity The director of internal audit reports directly to the president of Georgia Perimeter College and the Chief Audit Officer at the BOR and has unrestricted access to both and senior management of the institution. This reporting relationship is mandated by BOR Policy Manual Section 7.10.2. In addition, the director of internal audit makes final judgment calls on audit activities at the institution. The IA activity generally conforms to this standard. C. 1200 - Proficiency and Due Professional Care The internal audit staff collectively possesses the knowledge, skills and competencies necessary to perform and carry out professional responsibilities with due professional care. The internal auditors possess undergraduate degree in accounting and/or a graduate degree in accounting and have at least five years internal audit experience in higher education. The IA activity generally conforms to this standard. D. 1300 - Quality Assurance and Improvement Program Except for the condition identified below, when the director of internal audit started in July 2010, he began evaluating the internal audit activity s conformance with the Definition of Internal Auditing and the Standards and the Code of Ethics. The director of internal audit has also been assessing the efficiency and effectiveness of the internal audit activity and introducing initiatives to improve the internal audit activity, such as revising the audit charter, formal audit risk assessment, planning document and formal entrance conference presentations. Also, the director of internal audit reviews work papers completed by the internal audit staff and provides necessary coaching notes to improve audit work documentation. Further, the BOR chief audit officer periodically performs peer reviews of the IA activity. Condition The IA activity had not previously had an external quality assessment review by independent reviewers. In addition, the IA activity did not disclose the nonconformance to external assessment and the impact. 5
Criteria Standard 1312: External assessments must be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization. Standard 1320: The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board. Standard 1321: The chief audit executive may state that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing only if the results of the quality assurance and improvement program support this statement. Standard 1322: When nonconformance with the Definition of Internal Auditing, the Code of Ethics, or the Standards impacts the overall scope or operation of the internal audit activity, the chief audit executive must disclose the nonconformance and the impact to senior management and the board. Recommendation The IA activity should undergo an external quality assessment review by independent reviewers every five years. In addition, the IA activity should disclose the nonconformance to external assessment and the impact to senior management. E. 2000 - Managing the Internal Audit Activity The director of internal audit manages the internal audit activity effectively by completing objective and relevant value added audit projects that contribute to the effectiveness and efficiency of institution governance, risk management, and control processes. The IA activity generally conforms to this standard. F. 2100 - Nature of Work The internal audit activity evaluates and contributes to the improvement of governance, risk management, and control processes using a systematic and disciplined approach as documented in the audit charter and the audit manual. The IA activity generally conforms to this standard. G. 2200 - Engagement Planning For each audit engagement other than investigations and advisory services, the internal auditors develop and document an audit program and planning document stating the engagement s objectives, scope and audit fieldwork period. The IA activity generally conforms to this standard. H. 2300 - Performing the Engagement For each engagement, the internal auditors identify, analyze, evaluate, and document sufficient information to achieve the engagement s objectives. The IA activity generally conforms to this standard. 6
I. 2400 - Communicating Results Except for the condition identified below, results of audit engagements are communicated to the auditee, institution president, executive VP for finance and administration and the chief audit officer at the BOR. Condition The IA activity had not previously had an external quality assessment review by independent reviewers, and had not disclosed this nonconformance in the communication of audit results. Criteria Standard 2430: Internal auditors may report that their engagements are conducted in conformance with the International Standards for the Professional Practice of Internal Auditing, only if the results of the quality assurance and improvement program support the statement. Standard 2431: When nonconformance with the Definition of Internal Auditing, the Code of Ethics or the Standards impacts a specific engagement, communication of the results must disclose the: Principle or rule of conduct of the Code of Ethics or Standard(s) with which full conformance was not achieved; reason(s) for nonconformance; and impact of nonconformance on the engagement and the communicated engagement results. Recommendation The IA activity should undergo an external quality assessment review by independent reviewers and disclose the nonconformance in the communication of audit results. J. 2500 - Monitoring Progress Audit results dispositions are tracked in TeamCentral, within the TeamMate audit software. Necessary follow up reviews are conducted typically in subsequent audits on the subject area. The IA activity generally conforms to this standard. K. 2600 - Management s Acceptance of Risks Generally, management had developed action plans to address risks communicated by the IA activity. Should auditees decide to accept risks unacceptable to the institution, the director of internal audit would discuss the matter with institution senior management. Should the matter remain unresolved, the director of internal audit would report to the institution president and chief audit officer at the BOR for resolution. The IA activity generally conforms to this standard. The IIA Code of Ethics - The Code of Ethics of The IIA are Principles relevant to the profession and practice of internal auditing, and Rules of Conduct that describe behavior expected of internal auditors. The Code of Ethics applies to both parties and entities that provide internal audit services. The internal auditors reflect through their work that they uphold and follow the IIA Code of Ethics and the BOR Ethics Policy. The IA activity generally conforms to this standard. 7
CONCLUSION This report discusses the IA activity s responsibility to operate under the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing (Standards), the objective of our quality assurance review, and an overview of the IA activity s conformance with the Standards. The IA activity is aware of the requirement to operate in conformance with the Standards. 8