Internal Audit Quality Assurance and

Improvement Programme (QAIP)

v1.1 April 2021

Next Review: April 2023
Table of Contents
1. Introduction .................................................................................................................................... 3
2. Requirements of the QAIP ............................................................................................................. 3
2.1. Scope ....................................................................................................................................... 3
2.2. Reporting ................................................................................................................................ 3
3. Application of the Standards at GMCA.......................................................................................... 4
4. Internal Assessments ..................................................................................................................... 4
4.1. On-going Reviews ................................................................................................................... 5
4.2. Periodic Reviews .................................................................................................................... 5
5. External Assessments ..................................................................................................................... 6
5.1. Frequency of External Assessments ...................................................................................... 6
5.2. Scope of External Assessments .............................................................................................. 6
6. Review of the QAIP ........................................................................................................................ 6
Appendix 1 – IIA Code of Practice recommendations relating to QAIPs .............................................. 7
Appendix 2 – Internal Quality Control Checklist ................................................................................. 10
Appendix 3 – Post Audit Questionnaire .............................................................................................. 13
Appendix 4 – Internal Audit Key Performance Indicators .................................................................. 15

Internal Audit Quality Assurance and Improvement Programme 2

1. Introduction
One of the core principles of the International Standards for the Professional Practice of
Internal Auditing (‘the Standards’) is quality assurance and continuous improvement. Public
Sector Internal Audit Standards (‘PSIAS’) require the Head of Internal Audit to develop and
maintain a quality assurance and improvement programme (QAIP) that covers all aspects of
the internal audit activity.
A QAIP is designed to enable an evaluation of the internal audit activity’s conformance with
the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The
programme also assesses the efficiency and effectiveness of the internal audit activity and
identifies opportunities for improvement. The Head of Internal Audit should encourage
board oversight in the quality assurance and improvement programme.
Section 4 of the QAIP sets out the expectations of PSIAS in terms of undertaking internal and
external quality assurance assessments. The Head of Audit and Assurance has assessed
conformance to those expectaitons for 2020/21 and identified any areas for improvement.
These will be carried forward into an Internal Audit Improvement Plan, the progress of
which will be regularly reported to the Audit Committee.

2. Requirements of the QAIP

2.1. Scope
PSIAS are clear in defining two types of quality assurance assessments: internal and external
assessments.

Internal Assessments must include:

 Ongoing monitoring of the performance of the internal audit activity
 Periodic self-assessment or assessments by other persons within the organisation
with sufficient knowledge of internal audit practices

External Assessments
 Must be conducted at least once every five years by a qualified, independent
assessor or assessment team from outside the organisation
 The Head of Audit and Assurance must agree with the Audit Committee the form of
the assessment and the qualification and independence of the external assessors.
2.2. Reporting
The results of the QAIP and progress against any improvement plans must be reported in
the Internal Audit Annual Report.
Non-conformances with the Code of Ethics or the Standards must be disclosed by the Head
of Audit and Assurance to senior management and the Audit Committee.

Internal Audit Quality Assurance and Improvement Programme 3

Non-conformances should be considered for inclusion in the annual governance statement
(AGS).

3. Application of the Standards at GMCA

The Internal Audit team at GMCA undertake a number of activities in order to fulfil the
requirements of the Standards in relation to quality assurance and improvement. These
activities, along with their associated monitoring and reporting mechanisms are referred to
as the QAIP. This document sets out those activities and how they are monitored and
reported.
The QAIP is designed to provide reasonable assurance to GMCA’s stakeholders that Internal
Audit:

 Performs its work in line with the Internal Audit Charter (approved annually by the
Audit Committee). The charter incorporates (and is consistent with) the definition of
internal auditing as set out is PSIAS.
 Operates in an effective and efficient manner
 Is perceived by stakeholders as adding value to GMCA

The Head of Audit and Assurance is responsible for the development, annual review and
implementation of the QAIP. The QAIP covers all types of internal activities.
In addition to the requirements of PSIAS, as mentioned above the Internal Audit Code of
Practice also provides some good practice recommendations for the QAIP. These are
included in Appendix 1 along with how they are built into GMCA’s QAIP.

4. Internal Assessments
In accordance with PSIAS Standard 1300, internal assessments are undertaken
through both on-going and periodic reviews.

Internal Audit Quality Assurance and Improvement Programme 4

4.1. On-going Reviews
Continual assessments of quality are conducted through:
 Management supervision of all engagements;
 Structured, documented reviews of working papers and draft reports by Internal
Audit management;
 Internal Audit Policies and Procedures used for each engagement to ensure
consistency, quality and compliance with appropriate planning, fieldwork and
reporting standards;
 Internal Quality Control Checklist used on a risk assessed basis to ensure
consistency of reporting and reduce administrative error (Appendix 2);
 Feedback from audit clients obtained through Audit Questionnaires at the
closure of each engagement (Appendix 3);
 Review and approval of all Final Reports, recommendations and levels of
assurance by the Head of Audit and Assurance; and
 Regular team meetings attended by all members of the Internal Audit team
for which action plans are retained.

4.2. Periodic Reviews

Periodic assessments are conducted through:
 Annual review of Internal Audit KPIs and approval of targets by the Audit Committee
(Appendix 4)
 Peer reviews of a selection of internal audit working papers and reports, selection of
audits being reviewed is risk-based;
 Quarterly reports, presented to Senior Leadership Team (SLT) and the Audit
Committee reporting on progress of the Internal Audit Plan, level of assurance for
each audit, forward plan and performance against KPIs;
 Annual performance evaluation form to SLT;
 Annual risk assessments for the purposes of annual audit planning;
 Annual review of the Effectiveness of Internal Audit, undertaken by the Head of
Audit and Assurance;
 Annual review of skills of the team, with appropriate development plans put in place
through personal development plans;
 Annual review of compliance against the requirements of this Quality Assurance and
Improvement Programme, the results of which are reported to the Treasurer and
Audit Committee;
 Feedback from the Treasurer and Chair of Audit Committee to inform the annual
appraisal of the Head of Audit and Assurance;
 The Head of Audit and Assurance will implement appropriate follow-up to any
identified actions from the various sources of feedback to ensure continual
improvement of the service, through an Internal Audit Effectiveness Action Plan; and
 Any significant areas of non-compliance with the PSIAS that are identified through
internal assessment will be reported in the Head of Audit Assurance’s Annual Report
and used to inform the Annual Governance Statement (AGS).

Internal Audit Quality Assurance and Improvement Programme 5

5. External Assessments
External assessments appraise and express an opinion about internal audit’s conformance
with the PSIAS’ Definition of Internal Auditing and Code of Ethics and include
recommendations for improvement, as appropriate.

5.1. Frequency of External Assessments

An external assessment will be conducted at least every five years, in accordance
with the PSIAS. Appointment of the External Assessor and scope of the External
Assessment will be approved by the Audit Committee. An external assessment was
undertaken in May 2021, the results of which will be reported to the Audit Committee and
incorporated into the Improvement Plan shown in Section 7.

5.2. Scope of External Assessments

An external assessment will consist of broad scope of coverage in which the external
assessor will:
 Review and assess the conformity of GMCA’s Internal Audit function with the
Institute of Internal Auditors’ Code of Ethics and International Standards for the
Professional Practice of Internal Auditing (IIA Standards);
 Review conformity with the IIA Internal Audit Code of Practice. The Code is not
specifically designed for public sector organisations, but can be used as good
practice guidance.
 Evaluate the role, reputation and impact of internal audit in the organisation, and its
independence and objectivity;
 Provide an independent opinion on the current quality and value provided by the
internal audit function in supporting key business strategy and objectives; and
 Benchmark the internal audit function against IIA standards and industry best
practice / other internal audit teams, highlighting areas for improvement.

6. Review of the QAIP

The QAIP will be subject to periodic review and will be updated accordingly
following any changes to PSIAS or Internal Audit’s operating environment and
will be reviewed at least on an annual basis.

Internal Audit Quality Assurance and Improvement Programme 6

Appendix 1 – IIA Code of Practice recommendations relating to QAIPs

In January 2020 the Institute of Internal Auditors (IIA) published the Internal Audit Code of Practice which provides a number of
recommendations aimed at enhancing the overall effectiveness of Internal Audit and its impact within organisations operating within the UK
and Ireland. The recommendations are intended to be a benchmark of good practice against which organisations can assess their internal audit
function. Section G of the Code, “Quality Assurance and Improvement Programme”, contains six recommendations relating to how the quality
of the internal audit function is measured and periodically assessed. Whilst not specifically aimed at the public sector, alongside PSIAS GMCA
will take into account the recommendations of the Code.
These recommendations are detailed below along with how at the GMCA Internal Audit Service will meet those recommendations.

Internal Audit Code of Practice recommendation GMCA implementation of the recommendation

31. The board or the audit committee is responsible for evaluating the The Audit Committee receives quarterly reports from
performance of the internal audit function on a regular basis. In doing so it the Head of Audit and Assurance which contain:
will need to identify appropriate criteria for defining the success of internal - Progress against the internal audit plan
audit. Delivery of the audit plan should not be the sole criterion in this - Performance against KPI targets
evaluation. - Implementation rates for internal
recommendations

Internal Audit KPIs and associated targets are reviewed

at least annually and approved by the Audit Committee

32. Internal audit should maintain an up-to-date set of policies and Internal Audit has an up to date set of policies and
procedures, and performance and effectiveness measures for the internal procedures that is reviewed annually by Internal Audit
audit function. Internal audit should continuously improve these in light of management.
industry developments.

33. Internal audit functions of sufficient size should develop a quality QAIP in place consisting of a variety of ongoing and
assurance and improvement programme, with the work performed by periodic internal assessments as well as an external
individuals who are independent of the delivery of the audit. The individuals

Internal Audit Quality Assurance and Improvement Programme 7

 performing the assessments should have the standing and experience to assessment which is undertaken at least once every five
meaningfully challenge internal audit performance and to ensure that years.
internal audit judgements and opinions are adequately evidenced.

The scope of the QAIP review should include internal audit’s understanding
and identification of risk and control issues, in addition to the adherence to
audit methodology and procedures. This may require the use of resource
from external parties. The quality assurance work should be risk-based to
cover the higher risks of the organisation and of the audit process. The
results of these assessments should be presented directly to the audit
committee at least annually.
34. Where the internal audit function is outsourced to, or co-sourced with, Annual report of Head of Audit and Assurance to the
an external provider, internal audit’s work should be subject to the same Audit Committee which reports performance against
QAIP work as an in-house function. The results of this QAIP work should be the QAIP.
presented to the audit committee at least annually for review. Chief internal Quarterly reporting to the Audit Committee of progress
auditors should report regularly to the audit committee on the actions or against actions within the Internal Audit Effectiveness
progress implementing the outcomes of the review. Improvement Plan

35. In addition, the audit committee should obtain an independent and An external assessment of the effectiveness of the
objective external quality assessment at appropriate intervals, irrespective of GMCA Internal Audit Service will be undertaken no
the size of the organisation. This could take the form of periodic reviews of later than 2024/25, which will be five years since the
elements of the function, or a single review of the overall function. In any establishment of an in-house Internal Audit Service at
event, the internal audit function as a whole should as a minimum be subject GMCA.
to a review at least every five years, as set out in the International
Professional Practices Framework (IPPF) for internal audit. The conformity of
internal audit with this guidance should be explicitly included in this
evaluation. The chair of the audit committee should oversee and approve the
appointment process for the independent assessor.

Internal Audit Quality Assurance and Improvement Programme 8

 36. The external quality assessment should consider and report on Whilst the code is not designed for public sector
compliance with this Code as well as with the International Professional organisations, future assessments will take this into
Practices Framework (IPPF) and the International Standards for the consideration, along with PSIAS.
Professional Practice of Internal Auditing (‘the IIA Standards’).

Internal Audit Quality Assurance and Improvement Programme 9

Appendix 2 – Internal Quality Control Checklist

Key Task PSIAS ref QC Checklist

Engagement Planning (2200 - Engagement Planning)

Preliminary 2201 Planning A completed planning document for the

Background considerations engagement is saved within the working papers
Research
The scoping document includes the rationale for
the work, evidence of preliminary background
research and has appended to it within the working
papers any relevant documentation (eg Committee
reports)

Background research is proportionate to take into

account upfront identification of any key risks or
areas of concern.
2210 Engagement Scoping meeting notes are retained within the
objectives working papers?

2220 Engagement scope Senior client scoping discussions do take place

Assignment where possible to clarify lines of engagement and
Planning ensure stakeholder expectations are understood
and taken in to account.

2230 Engagement Resource(s) assigned to the engagement possess

Assignment resource allocation the appropriate skills, knowledge and experience to
Delivery Plan undertake the audit.

2210 Engagement The draft terms of reference include type of audit,

objectives scope, approach and limitations

2220 Engagement scope Retain evidence of the IA Manager / Head of IA

Terms of review of the draft terms of reference
Reference
The Audit Sponsor was provided with draft terms of
reference and given the opportunity to review and
comment prior to the commencement of the
fieldwork.

2240 Engagement Work Prior to the commencement of the fieldwork the

Programme auditor prepared the RCM with the known risks and
Outline Risk expected controls to be considered within each
and Control area of scope. (This can be dependent on the
Matrix (RCM) nature or complexity of work undertaken)

Internal Audit Quality Assurance and Improvement Programme 10

 Key Task PSIAS ref QC Checklist
The RCM was reviewed prior to commencement of
the fieldwork.

Fieldwork and testing (2300 - Performing the engagement)

2310 Identifying Process notes and/or meeting notes are included

Gather information within the working papers
information

2320 Analysis of Controls are identified and their design evaluated.

information Operating effectiveness of controls is tested in line
Develop with sample size guidance. The rationale for sample
testing plan sizes is documented.

2330 Documenting A full and true record of all work undertaken and
information results of testing is documented within the working
Testing papers.

2340 Engagement RCM was reviewed by the IA Manager/ Head of

Review and Supervision Audit and Assurance. Evidence of review has been
Feedback retained.

Closing and reporting (2400 - Communicating Results)

A closure meeting was held with the key audit

Closure
contact(s) to confirm accuracy of findings and agree
Meeting with
proposed actions.
Client
2410 Criteria for The draft report includes the engagement's
Communicating objectives, scope and results.

2420 Quality of The draft report opinion is in line with the agreed
communications rating methodology. Where auditor judgement is
Draft Report applied outwith the defined scoring mechanism, a
clear explanation is provided.

The draft report acknowledges satisfactory results

as well as exceptions.

Internal Audit Quality Assurance and Improvement Programme 11

 Key Task PSIAS ref QC Checklist
Confirmation of the content of the report and
Management agreement of audit actions and implementation
comments to dates was received from the Audit Sponsor/Key
draft Report Contact
2440 Disseminating The final report is approved for issue by the Head of
results Audit.
Final Report

Post Audit 2421 Errors and omissions

Questionnaire
Were any errors or omissions identified after
release of the final report?
Errors and
omissions If Yes, they were communicated to the recipients of
the original final report.
File Closure All working papers are complete and stored
and centrally.
Administration

Internal Audit Quality Assurance and Improvement Programme 12

Appendix 3 – Post Audit Questionnaire

Internal Audit - Post Audit Questionnaire

Your feedback is essential to us to allow us to continuously improve our service. Please
complete this short survey, to help us understand from your perspective how well we met
our standards in regards to the planning, fieldwork, and reporting for the recent audit of
<insert name of audit>.

Please rate each of the following statements in line with the scoring mechanism provided.

Strongly Agree Neither Disagree Strongly

Agree Agree or Disagree
Disagree
Audit scope
The auditor clearly
communicated the purpose and
scope of the audit.
The agreed audit scope
addressed key areas of risk within
the function.
The auditor took into account my
(and my team’s) commitments
and schedule when developing
the audit schedule.
Audit process
The auditor sufficiently engaged
with me / my team throughout
the process.
The auditor demonstrated
adequate knowledge of my
service area and its risks and
controls.
The agreed actions in the audit
report were relevant, practical
and will effectively mitigate risks
identified in the audit findings.
Audit outcomes
The audit report was clear,
concise, accurate, relevant, and
timely.
The audit report met my
assurance needs.

Internal Audit Quality Assurance and Improvement Programme 13

 Strongly Agree Neither Disagree Strongly
Agree Agree or Disagree
Disagree
Overall satisfaction
Overall, I am satisfied with the
audit, the way it was conducted
and the outcome.

Our aim is that the work of Internal Audit adds value and has a positive impact on
governance, risk, and systems of internal control.

Was there anything more we could have done to support you/your service in this regard?

Internal Audit Quality Assurance and Improvement Programme 14

Appendix 4 – Internal Audit Key Performance Indicators

The following Key Performance Indicators have been defined to measure the performance
of the Internal Audit Service.

Name Description Target

Timeliness of Audit fieldwork undertaken in the 90%
audits in line with Terms of Reference.
Variations to timing agreed with
the audit sponsor.
Issue of Draft Draft reports issued within 14 90%
Report days of closing meeting
Management Management comments received 90%
comments within 14 days of draft report
issue
Final report Final report issued within 14 days 90%
of management comments
Audit actions Implemented on time 85%

Audit days Deliver audits within the 90%

allocated number of days.
Customer Ensure customer satisfaction is at 85%
satisfaction a high level for each audit
completed

Internal Audit Quality Assurance and Improvement Programme 15