Kvalitet i internrevisions-
arbetet
15 maj 2014
Hans Löfgren

Vem är jag?
©TranscendentGroupSverigeAB2013

Vad är kvalitet?
Definitionen enligt ISO 9000:
”Alla sammantagna egenskaper
hos en produkt/prestation som
ger den dess förmåga att
tillfredsställa uttalade eller
underförstådda behov.”
IIA QAIP - Practice Guide:
”Kvaliteten på en produkt eller
tjänst utgörs av den grad som
produkten eller tjänsten möter
kundernas förväntningar.”
©TranscendentGroupSverigeAB2013

Vad är kvalitet i
internrevisionsarbetet?
Quality in internal audit is guided by
both an obligation to meet
customer expectations as well as
professional responsibilities
inherent in conforming with the
Standards. While predominantly
complementary, it is the challenge
for the CAE to achieve both these
requirements.
©TranscendentGroupSverigeAB2013

Kvalitet i internrevisionsarbetet
• Standards 1300 to 1312 specifically require the CAE to develop a
QAIP incorporating both internal (self) assessments and external
assessments.
• Beyond these specific standards, internal audit as a profession,
should maintain a formal, structured approach to quality.
• Operating with proficiency and due professional care,
undertaking continuing professional development and
conforming with a set of recognised standards.
• Each of these allows internal audit to differentiate itself from
non-professional areas.
©TranscendentGroupSverigeAB2013

Hur uppfattar internrevisorer sitt värde?
– CBOK 2011
• Most respondents believe that their internal audit activities add
value to their organizations.
• Both independence and objectivity are viewed as key factors for
internal audit activities to add value.
• While most respondents view their internal audit activity as
contributing to controls, they do not to the same extent perceive
it as contributing to risk management or governance.
• The most important factors to the perceived contribution of the
internal audit activity are: having appropriate access to the audit
committee, functioning without coercion to change a rating
assessment or withdraw a finding and more audit tools or
technology used on a typical audit engagement.
©TranscendentGroupSverigeAB2013

Hur uppfattar kunderna
internrevisorernas värde?
Det finns studier som visar att
kunderna inte är lika positiva
till internrevisionens värde
som internrevisorerna tycker
själva.
©TranscendentGroupSverigeAB2013

44%
56%
79%
21%
PwC:s undersökning 2013
I genomsnitt ansåg
37 procent att
internrevisionen
presterade bra
eller mycket bra
inom de 8
attributen.
I genomsnitt ansåg
56 procent att
internrevisionen
presterade bra
eller mycket bra
inom de 8
attributen.
2013 State of the Internal Audit Profession Study, PwC
Företagsledning och
styrelseledamöter är inte eniga i
sin uppfattning om intern-
revisionens värde och prestation.
En större procentuell andel av
styrelseledamöter jämfört med
företagsledningen anser att
internrevisionen ger ett väsentligt
värde.
Det är stor skillnad mellan
företagsledningen och
styrelseledamöterna i deras
bedömning av internrevisionens
prestationer.
©TranscendentGroupSverigeAB2013
executive management
board members

Vad hindrar oss att arbeta
med ett systematiskt
kvalitetsarbete – CBOK 2011
The principle reasons for noncompliance
include:
• Small size of the organization or
internal audit staff,
• Cost of using the Standards,
• Amount of time required for
compliance, or
• Lack of management/board support.
©TranscendentGroupSverigeAB2013

Utveckla en kundkultur
©TranscendentGroupSverigeAB2013
It starts with
relationships
• Understand and exceed
stakeholder expectations
• Formal relationship
management program—
involve the whole team
Focus on people
and talent
development
• Training programs include
business acumen and
leadership
• Coaching and development
programs to reinforce OTJ
training
Establish credibility
and earn a seat at
the table
• Bring the right skills to
cover a broader range of
risks
• Ask for feedback and
measure client satisfaction
• Balance independence,
objectivity and value

Hur ledande internrevisionschefer arbetar för
att bli mer relevanta
• Recruiting from the business and sourcing externally for missing
capabilities.
• Continually improving executive and audit committee reports to
provide better context and insight.
• Maintaining close working relationships with the audit
committee.
• Participating in strategic growth, cost and compliance initiatives.
• Engaging legal and compliance expertise to address the complex
array of global compliance risks.
• Partnering with internal and external technology specialists to
address rapidly changing technical and business risks.
©TranscendentGroupSverigeAB2013
2013 State of the Internal Audit Profession Study, PwC

Quality Assurance and Improvement program
©TranscendentGroupSverigeAB2013

A QAIP should conclude on the quality of the
internal audit activity
It enables an evaluation of:
• conformance with the Definition of Internal Auditing, the Code of Ethics and the
Standards,
• adequacy of the internal audit activity’s charter, goals, objectives, policies and
procedures,
• contribution to the organization’s governance, risk management, and control
processes,
• completeness of coverage of the entire audit universe,
• compliance with applicable laws, regulations, and government or industry standards to
which the internal audit activity may be subject,
• the risks affecting the operation of the internal audit activity itself,
• effectiveness of continuous improvement activities and adoption of best practices and
• whether the internal audit activity adds value, improves the organization’s operations,
and contributes to the attainment of objectives.
©TranscendentGroupSverigeAB2013

A QAIP must effectively be applied at three
fundamental levels (or perspectives)
Internal Audit Engagement Level (self-assessment at the audit, engagement or
operational level):
The engagement supervisor (possibly a manager or the CAE) is responsible for
providing assurance that:
• appropriate processes have been used to translate audit plans into specific,
appropriately resourced audit engagements,
• planning, fieldwork/conduct and reporting/communicating results conforms
with the Definition of Internal Auditing, the Code of Ethics and the
Standards,
• appropriate mechanisms are established and used to follow-up management
actions in response to audit recommendations and
• post-engagement client surveys, lessons learned, self-assessments and other
mechanisms to support continuous improvement are completed.
©TranscendentGroupSverigeAB2013

A QAIP must effectively be applied at three
fundamental levels (or perspectives)
Internal Audit Activity Level (self-assessment at the internal audit activity or organizational
level):
The CAE is responsible for providing assurance that:
• written policies and procedures, covering both technical and administrative matters, are
formally documented to guide audit staff in consistent conformance with the
Definition of Internal Auditing, the Code of Ethics and the Standards,
• audit work conforms with written policies and procedures,
• audit work achieves the general purposes and responsibilities described in the internal
audit charter,
• audit work conforms with the Definition of Internal Auditing, the Code of Ethics and
the Standards,
• internal audit work meets stakeholder expectation,
• the internal audit activity adds value and improves the organization’s operations and
• resources for the internal audit activity are efficiently and effectively utilized.
©TranscendentGroupSverigeAB2013

A QAIP must effectively be applied at three
fundamental levels (or perspectives)
External Perspective (independent external assessment of the entire
internal audit activity including individual engagements):
• The CAE must ensure that the internal audit activity undergoes
an external assessment (either an independent external assessment
or a self-assessment with independent validation) at least once
every five years by an independent assessor or assessment team
from outside the organization that is qualified in the practice of
internal auditing as well as the quality assessment process.
©TranscendentGroupSverigeAB2013

1311 – Interna bedömningar
(PA 1311-1)
Interna bedömningar ska innefatta:
• fortlöpande
övervakning/uppföljning av intern-
revisionsverksamheten och
• regelbundna granskningar som
genomförs som självutvärderingar
eller av andra personer inom
organisationen med kunskap om
internrevisionspraxis.
©TranscendentGroupSverigeAB2013

1311– Interna bedömningar (PA 1311-1)
• Fortlöpande uppföljning är en integrerad del av den dagliga övervakningen
och uppföljningen av internrevisionsverksamheten. Fortlöpande uppföljning
är del av policys och praxis som används för att leda
internrevisionsverksamheten och använder de processer, verktyg och
information som kan anses nödvändig för att utvärdera överensstämmelsen
med Definitionen av internrevision, de Yrkesetiska Riktlinjerna samt
Riktlinjer för yrkesmässigt utövande av internrevision.
• Regelbundna granskningar är de utvärderingar som genomförs för att
utvärdera överensstämmelsen med Definitionen av internrevision, de
Yrkesetiska Riktlinjerna samt Riktlinjer för yrkesmässigt utövande av
internrevision.
• Tillräcklig kunskap om internrevisionspraxis kräver åtminstone en förståelse
för samtliga de delar som ingår i ”International Professional Practices
Framework”.
©TranscendentGroupSverigeAB2013

Ongoing Monitoring
Ongoing monitoring provides assurance that the processes in place
are working effectively to ensure quality is delivered on an audit-by-
audit basis. It is primarily achieved through:
• continuous monitoring activities including engagement planning
and supervision,
• standard working practices,
• working paper procedures and signoffs and
• report reviews.
©TranscendentGroupSverigeAB2013

Ongoing monitoring
Additional mechanisms include:
• acquiring feedback from audit clients and other stakeholders,
• assessing the audit engagement readiness prior to fieldwork by looking
for items like pre-approval of the audit scope, innovative best
practices, budgeted hours and assigned staff (expertise),
• using checklists or internal audit automation to give assurance on
whether processes adopted by the internal audit activity (e.g. in internal
audit policies and procedures manuals) are being followed,
• using measures of project budgets, timekeeping systems and audit plan
completion to determine if appropriate time is spent on different
aspects of the audit process as well as high risk and complex areas and
• analyzing other performance metrics to measure stakeholder value.
©TranscendentGroupSverigeAB2013

Periodic Self-Assessment
A periodic self-assessment has a different but interrelated focus to ongoing
monitoring. Periodic self-assessments focus on evaluating:
• conformance with the Internal Audit Charter, the IIA Definition of
Internal Auditing, the Code of Ethics and the Standards,
• the quality of the audit work, including adherence to the internal audit
methodology for selected engagements,
• the quality of supervision,
• the infrastructure, including the policies and procedures, supporting the
internal audit activity,
• the ways in which the internal audit function adds value to the
organization and
• the achievement of performance standards/indicators
©TranscendentGroupSverigeAB2013

Periodic self-assessments should be
conducted through:
• working paper reviews for conformance with the Definition of
Internal Auditing, the Code of Ethics and the Standards and
internal audit policies and procedures, by staff not involved in the
respective audits,
• self-assessment of the internal audit activity with objectives/
criteria established as part of the QAIP,
• review of internal audit performance metrics and benchmarking
of best practices and
• periodic activity and performance reporting to the board and
other stakeholders as deemed necessary.
©TranscendentGroupSverigeAB2013

Performance methods – CBOK study
The internal audit activity performance methods most frequently
used include:
1) assessment by percentage of the audit plan completed,
2) acceptance and implementation of recommendations,
3) surveys/feedback from the board/audit committee/senior
management,
4) customer/auditee surveys from audited departments,
5) assurance of sound risk management and
6) reliance by external auditors on the internal audit activity.
©TranscendentGroupSverigeAB2013

Performance metrics
©TranscendentGroupSverigeAB2013
Infrastructure
• number of audits scheduled/completed
• opportunities for cost reductions identified
Planning
• timeliness of audit notifications
• frequency of risk assessment updates
Fieldwork
• average time spent in field
• percentage of special requests fulfilled
Reporting and Communication
• average number of days to issue final report
• percent of issues past due

Client satisfaction
Client satisfaction surveys
• distributed to management and
the Audit Committee
• should provide a basis for
continuous improvement
• individual project satisfaction
surveys are often used on larger
projects.
©TranscendentGroupSverigeAB2013

Engagement Supervision,
Working Papers and Working
Paper Quality Review
©TranscendentGroupSverigeAB2013
Engagement Supervision
• monitor progress
• assess quality
• provide coaching
• the work provided by consultants
should also be supervised and
monitored.
Working papers
• engagement working papers

Engagement Supervision,
Working Papers and Working
Paper Quality Review
©TranscendentGroupSverigeAB2013
Working Papers Quality
Review
• quality checks
• management oversight
• should be performed on
selected audits

Små internrevisionsenheter
©TranscendentGroupSverigeAB2013
• In sole auditor activities, the
internal auditor may seek
assistance from other parts of
the organisation to undertake
quality assurance activities,
provided this does not impact
the independence of internal
audit.
• The internal auditor may also
look to peers in other
organisations for support.
• Using checklists can also assist
in providing assurance over
audit quality.

Extern kvalitetsutvärdering
There are two approaches to the conduct of external assessments:
• A full external assessment involves the use of a qualified,
independent assessor or assessment team to conduct the full
assessment.
• A self-assessment with independent (external) validation involves
the use of a qualified, independent assessor or assessment team
to conduct an independent validation of the self-assessment
completed by the internal audit activity.
©TranscendentGroupSverigeAB2013

Syftet med en kvalitetssäkring?
Syftet med en kvalitetssäkring av en internrevision ska utifrån vår
erfarenhet utgå ifrån följande tre dimensioner för att
internrevisionen ska kunna bli ansedd som effektiv:
1. Effektiviteten i att möta uppdragsgivares och intressenters
krav och behov.
2. Förmågan att tillämpa senaste best practice inom
internrevisionsprofessionen.
3. Effektiviteten i efterlevnaden av tillämpliga professionella
och/eller regulatoriska internrevisionsstandards, t.ex. de
internationella riktlinjerna för yrkesmässigt utövande av
internrevision och/eller internrevisionsförordningen.
©TranscendentGroupSverigeAB2013

Utvärderingskriterier
• IIA Quality Assessment Manual Scale: Does Not
Conform/Partially Conforms/Generally Conforms.
• The IIA’s Assessment Scale — IIA Path to Quality:
Introductory/Emerging/Established/Progressive/ Advanced.
• IIA Capability Model for the Public Sector: Initial/
Infrastructure/Integrated/Managed/Optimizing.
• DIIR (IIA–Germany) Guideline for Conducting a Quality Assessment:
3–Satisfactory/2–Room for Improvement/1–Significant
Improvement Needed/ 0–Unsatisfactory/Not Applicable).
©TranscendentGroupSverigeAB2013

Vad har jag gjort för iakttagelser vid kvalitets-
genomgångar?
• Dialogen med styrelse/revisionsutskott och ledning är bristfällig.
• Utvecklingen av ett Audit Universe förekommer ej eller är bristfällig.
• Riskanalysen förankras inte i organisationen innan
internrevisionsplanen beslutas.
• Internrevisionsplanen kopplar inte till riskanalysen.
• Revisionsmålen är inte preciserade.
• Ojämn kvalitet på granskningsdokumentationen.
• Iakttagelserna matchar inte revisionsmålen.
• Rapporterna för långa, saknar sammanfattning, saknar prioriteringar.
• Uppföljning av beslutade åtgärder saknas.
©TranscendentGroupSverigeAB2013

www.transcendentgroup.com