I.13 Example of Standard Clauses for Request for Proposals

External Assessment

  1. The engagement of an outside independent assessor or assessment team to complete the enterprises’ external quality assessment will be handled under the auspices of the enterprise’s central contracting and procurement department using its standard clauses and terms. In addition, internal audit will request inclusion of the following clauses, as revised from time to time.

Scope of Service

  1. An outline of the proponent’s expertise in the internal audit quality assessment (QA) should introduce the proposal, indicating the number of clients for whom this service has been provided in the past, and attaching an appendix listing those clients and their main contact person for reference purposes.

  2. The QA process to be used should reflect coverage of the areas contained in the mandatory International Standards for the Professional Practice of Internal Auditing (Standards), the Definition, the Code of Ethics and other recommended guidance in the International Professional Practices Framework (IPPF®) considered applicable and useful. The process should include both assurance and consulting activities carried out by the internal audit department. The methodology to be used should be outlined, along with the benefits of its use. Preference will be given to those proposing to use the approach described in Quality Assessment Manual for the Internal Audit Activity, published by The IIA Research Foundation.

  3. The scope of the QA should assess conformance to the Standards, Definition, and Code of Ethics as well as outlining opportunities to improve the efficiency and effectiveness of the internal audit activity. The QA approach should provide the Audit Committee, executives, and the Chief Audit Executive (CAE) with an opinion as to the degree to which the activity conforms to the Standards, Definition, Code of Ethics, as well as the department charter, plans, and policies. The scope will include recommendations for improving the department’s effectiveness and value contribution to the corporation.

  4. The opinion should take the form of a statement that the department generally conforms, partially conforms, or does not conform as set out in the evaluation method in Quality Assessment Manual for the Internal Audit Activity noted above.

  5. Areas to be considered in the scope of this assessment include:

    • corporate governance processes over internal audit flowing from the Audit Committee, the governance committee, the board, and executives;

    • enterprise risk assessment process as applied to internal audit planning;

    • opportunities for consulting services; and

    • operations of the internal audit department as observed through the eyes and ears of the CAE, the internal audit team, the Audit Committee, and key audit customers.

Objectives

  1. The proponent’s objectives during the QA of the internal audit department should include the following:

    • Provide an opinion as to whether the internal audit activity complies with The IIA’s Standards, Definition, and Code of Ethics (see Scope above).

    • Review the internal audit activity’s implementation of the Standards, including the existence of a quality assurance and improvement program and the provision of consulting services.

    • Assess the efficiency and effectiveness of the internal audit activity in light of (a) its charter; (b) expectations of the Audit Committee, executives, and the CAE; and (c) its current needs, exposures to performing at less than an effective level, and the future direction and goals of the organization.

    • Identify opportunities and offer ideas and counsel, including selected “leading practices,” to the CAE and team for improving their performance so the activity can add value to executives and the Audit Committee, and promote the image and credibility of the activity within the corporation.

    • Review the internal audit department’s interaction with the other members of the governance process and its involvement in the enterprise risk assessment process, the building of the internal audit department’s audit universe, and preparation of its audit plan. This would include assessing the annual and long-range audit plans to see whether audit areas represent current and future business plans, strategy, exposures, and operations.

    • Determine the perception of internal auditing through interviews and surveys with members of the corporation’s executives and other internal audit customers.

    • Review and identify ways to enhance the auditing activity’s policies and practices, as well as the coordination with other internal and external providers of assurance.

Experience and Qualifications

  1. The proponent should outline its experience in performing similar quality assessments, detailing the advantages it brings to this assessment in terms of the expertise of its QA team members, their backgrounds, and their experience, and whether or not the CAE will be able to choose from several options of team members based on their experience. Team members who have had QA experience with the internal audit activities of similar corporations of similar scope would be preferred.

  2. With respect to proposed team members, factors that will be of import will include the following:

    • Experience as a CAE of a major corporation

    • Qualification as a Certified Internal Auditor

    • Qualification as a Certified Information Systems Auditor

    • Completion of The IIA seminar, “Performing External Quality Assessments of the Internal Auditing Activity”

  3. Proponents should quote the experience and qualifications only of those persons available for assignment to the fieldwork as part of the QA team.

Core Competencies

  1. The core competency portion of the assessment should include all phases of auditing, such as customer interaction, universe creation, planning, risk assessment, internal controls, report writing, follow-up, tracking, managing an audit effort, use of metrics, interaction with the Audit Committee, and use of information technology (IT).

Leading Practices

  1. The present operations of the internal audit activity should be evaluated against leading practices demonstrated by other internal audit activities familiar to the proponent, as well as those carried out by other leading-edge companies. Leading practices could include, but are not limited to, the following:

    • Conducting enterprise risk assessment

    • Utilizing risk and control self-assessment

    • Using internal control processes based on recognized internal control frameworks

    • Partnering with management

    • Contributing counsel and ideas of value to management

    • Integrating concepts of corporate governance into practice

    • Increasing team performance

    • Providing consulting services

    • Communicating more effectively

    • Developing team members, both personally and professionally

    • Using more technology to increase team efficiency

    • Establishing an assurance activity

    • Utilizing continuous auditing

    • Stressing customer focus

    • Conducting audits in emerging areas

    • Utilizing performance measurements

IT Auditing

  1. The QA team should include a person knowledgeable in IT auditing, who should, in the context of the corporation, review the internal audit activity’s coverage of IT as follows:

    • The key IT risks of the organization

    • IT auditing activities and objectives

    • Computer equipment and software packages available for use by the internal audit activity

    • Involvement in and awareness of strategic/tactical planning for implementing IT throughout the organization

    • Audit planning, policies and procedures, scope of work, tools, and objectivity of the IT audit activity

    • Audits performed in the last year, universe of IT risks subject to audit, how the universe is updated, and how IT risk is assessed

    • Qualifications of IT auditors, the ongoing training, and the ability to utilize outside experts when required

(Source: Thomas, Archie et al. Essentials: World-Class Tools for Building and Internal Audit Activity, 2nd Edition, Institute of Internal Auditors Research Foundation, 2016.)

Last modified:
2019-03-07