I.3 Internal Audit Engagement Quality Assurance Reviews

1. A quality assurance and improvement program (QAIP) has been implemented that covers all aspects of the internal audit activity and continuously monitors its effectiveness. The program was designed to help PRIA’s internal audit activity add value and improve the Office’s operations. It helps ensure that the internal audit activity is being conducted in conformance with International Standards for the Professional Practice of Internal Auditing.

2. As part of the ongoing monitoring portion of the QAIP, engagement quality assurance reviews are carried out, covering working papers, risk assessment and planning activities, reports, and other aspects of engagement performance to assess the overall effectiveness of internal audit engagements in satisfying audit objectives, fulfilling internal audit’s mandate, and conforming to the Standards.

3. Quality assurance (QA) reviews are to be performed on each engagement by a senior internal auditor independent of the team who performed the engagement. The CAE will prescribe the level of review and reviewers for each internal audit. A QA review will normally be completed by the CAE after the internal auditor and/or director have completed their review of the working papers.

4. The purpose of the QA review is to ensure that the entire report, as well as the working papers and communication protocols used to finalize the report, are consistent with internal audit policies and procedures and The IIA’s Standard. For example,

   • Determine whether internal audit policies and procedures are executed uniformly by all internal audit professionals

   • Identify opportunities for improvement in internal audit processes, by providing additional training to internal audit professionals on methodology or by modifying internal procedures to better reflect the needs of clients and auditors or enhance the value provided by internal audit.

5. There are three levels of engagement quality assurance reviews.

Level One—This is the most limited scope review. It consists of detailed review of the internal audit report to ensure all requirements of the Standards and related Implementation Guidance have been met and that internal audit’s standard reporting methodologies and formats have been fulfilled. It is completed before the report is issued.

Level Two—This is a limited scope review. It consists of a Level One review plus a detailed review of the audit report comments and supporting working papers to ensure that each reported item has been developed with adequate evidence, detailed analysis of condition, criteria, root cause, and related risks; careful consideration of alternative solutions; and active management engagement in discussion around the issues.

Level Three—This is the most detailed level of QA review. The reviewer will perform all steps included in Level One and Level Two, ensure that all conclusions on all items and tests are based on solid evidence, and confirm that all appropriate sign-offs are present. The reviewer will check to make sure that the entire report and working papers are in conformance with the Standards. The reviewer is expected to make suggestions that will improve the quality of the audit report/working papers process with an eye to improved effectiveness and efficiency of future audits.

• For a Level One review, the reviewer is required to initial and date the audit report approval template. For all Level Two and Level Three QA reviews, the reviewer is required to prepare a memo to the lead auditor (with a copy to the CAE) indicating the scope of the review, conclusion, and areas needing attention before the reviewer can approve the working papers/report. Upon clearance of review comments, the QA reviewer will so indicate on the QA memo, which will be included in the working paper file.

6. All QA reviews will be conducted before the practice review/internal audit report has been dated and issued.

   1. Edit and Translation will ensure that the final report is free of defects in grammar, punctuation, and usage of numbers. The QA reviewer will ensure that the report is in an acceptable format in accordance with PRIA policies and procedures.

   2. The QA reviewer will ensure that all conclusions are based on solid evidence and all appropriate signoffs are present. The QA reviewer will check to make sure that the entire report and working papers are in compliance with the Standards and PRIA procedures. The reviewer is encouraged to make suggestions that will improve the quality of the report/working papers without significantly increasing time consumption.

7. Documentation of the review will be conducted and included in the TeamMate audit file in evaluating the technical aspects of the project.

8. Those performing QA reviews are reminded that they are representing the CAE. Therefore, it is expected that QA reviewers will employ their very best efforts to ensure that the review is properly conducted in accordance with defined criteria, and due diligence is employed in assuring that Office and IIA standards, laws, and government regulations have been strictly followed in the course of the audit.

9. At least annually, the CAE should complete an overall assessment of the PRIA activity. The assessment should focus on independence/objectivity, professional proficiency, scope of work, performance of work, and management of the department. CAE Questionnaire I-9 should be used as a guide.

10. The effectiveness of this engagement quality assurance review process will itself be assessed as part of the periodic internal assessment portion of the overall QAIP.

Last modified:

2018-03-08