Quality Assessments

Larry's Internal Audit Quality Assessments

Why not do something better than most other quality assessments? Bring Larry on-site to improve your audit process by sharing ideas, discussing state-of-the-art audit techniques, getting CPE and satisfying Standard 1312 all at the same time.

Additionally, I've developed a QA Toolkit that will help small IA shops perform a periodic self-assessment, with an external validation. See more on the Free QA Page.

If you've had a QA in the past year or so, you might consider this an update, or maybe you just want to get another opinion.

Includes:

  • Review of individual audits: planning, working papers, testing approach, reporting

  • Review of annual audit planning (AAP) process, audit metrics, IT audit coverage

  • Self-assessment workshop with auditors (large shops)

  • Training workshop to present and discuss results - 7 CPE hours

  • Formal report detailing results of QA

  • Interviews with management, as needed

  • Conforms to IIA Standard 1312 - External QA

Why Larry's QA Process?

Based on my experiences in performing QA’s and validations of self-assessment efforts, and discussions with others, most traditional external QA processes have many shortcomings:

  • Too much preparation time (the self-study)

  • Cost too much

  • Were too long - three to five weeks

  • Report was too controversial – suggested changes, but no real value

  • Didn’t report the good things – reports were findings- or exception-based

  • Were too much like an audit and not enough like consulting

  • Had too much "review", and not enough "sharing"

  • Reviewers were not flexible

  • Reviewers imposed their own procedures instead of asking "What do the Standards say?"

All these resulted in audit departments not getting full value from the QA process. Larry's QA Process is designed to change all that! I really think I can do better.

Typical Three to Five Day Agenda (for Medium and Large Shops):

  • Preparation: 1) Supply me with enough existing audit reports, plans, charters, programs, manuals and status reports that I can get “on board” with the work done by the department before I come on-site. 2) Participate in one hour-long conference call at least two weeks before on-site work to begin survey process and discuss logistics.

  • Day 1: Comments on audit reports; review of audits, annual audit planning (AAP), metrics, IT approach; self-assessment workshop

  • Day 2-4: Comments on individual audits, AAP, metrics, IT; Discuss draft report

  • Day 5: Training seminar in relevant topics.

  • Post: Finalize report

Typical One or Two Day Agenda (for Small Shops):

  • Preparation: 1) Supply me with enough existing audit reports, plans, charters, programs, manuals and status reports that I can get “on board” with the work done by the department before I come on-site. 2) Participate in one hour-long conference call at least two weeks before on-site work to begin survey process and discuss logistics.

  • Day 1: Discuss audit reports, AAP, metrics, IT approach; Review of audits

  • Day 2: One-on-one training related to controls, risk assessment, audit reporting, metrics, IT; Discuss draft report

  • Post: Finalize report

Simple, Fixed Fee Pricing: $2,000 per person, to maximum of $30,000.

Other Benefits:

  • See COSO in action. Audit departments have internal controls too

  • See and discuss a simple automated work paper system (OneNote), an essential audit tool

  • See use of iPad Tablet - also an essential audit tool

  • Discuss and use cloud services such as DropBox, OneDrive and other online collaboration tools

QA Beliefs:

Before I come on-site, you should know some things about how I view QA's. These are at the core of Larry's QA Process. I believe:

  • QA’s should be a positive, value-adding experience for the internal audit department. A QA should leave the audit department with a good feeling about the process.

  • The worst outcome for a QA is a report containing an evaluation or suggestions that a good audit department disagrees with. Because of the power that resides in an external reviewer, in an inflexible approach, the internal audit department might be required to accept and implement suggestions with which they absolutely disagree. This would be a mistake.

  • A constant question on a QA should be “What do the Standards say?” as that is the measure of conformity rather than the personal opinion or experience of any one reviewer. In general the Standards allow for many alternative methods of complying in any area. Such an approach is different than a “by the books” review which does not entertain real-world, necessary variances in approach.

  • Reviewing working papers, while an essential step of a QA, is actually not as important as open discussions with auditors about how they do their audits.

  • While a QA team should be flexible, the spirit of the Standards must be understood and achieved and effective measures employed by internal auditing to provide a high level of assurance to detect fraud, waste and abuse in the audit effort.

  • An effective, internal quality control and assurance process is essential to achieving compliance with the Standards.

  • Smaller audit shops are different than larger shops, and have a different level of formality in their audit manual and other procedures. I understand that.

  • Finally, neither an audit nor a QA should be a game of “second guessing” those actually performing the work. The passage of time makes many things clear that were not clear at the time work was performed. Auditors and reviewers must keep this in mind during their work. This means reviewers should give positive feedback and credit when an audit department finds and addresses quality problems in an ongoing manner. That is a good event, to be positively viewed, and those items in process of being corrected do not need to be criticized during the QA.

Interested in Larry's QA Process? Give me a call or email.

Larry Hubbard