Audit Program Guide

______CREDIT UNION

QUALITY ASSURANCE SELF-REVIEW

ASSESSMENT QUESTIONNAIRE

DEFINITIONS

1. “Chief Audit Executive” (CAE): The individual who is ultimately responsible for carrying out the internal audit activity.

1. “Internal Audit”: The internal auditor, internal audit activity or the collective group of internal audit personnel, depending upon context.

1. “Board”: The Supervisory Committee, Audit Committee, or other body that ultimately governs the internal audit activity.

INSTRUCTIONS

1. Survey selected auditees to obtain their views on authority and qualifications of the auditors, adequacy of coverage, usefulness of reports, etc. Make adjustments to Internal Audit practices as necessary

1. Meet with the member of management to whom the CAE administratively reports to gain insight into expectations of and the direction provided to Internal Audit. Make adjustments to Internal Audit practices as necessary

1. Complete the Self-Assessment Workpaper Review Checklist for a selection of audits. Make adjustments to Internal Audit practices as necessary

1. Complete assessment questionnaire. Questions are structured so that a “yes” response indicates conformance with the Standards and Practice Advisories. For items with no” answers, either adjust Internal Audit practices as necessary or be prepared to discuss compensating factors to the QAR reviewer.

Page 1 of 38

Self-Assessment with PA-working copy

ASSESSMENT QUESTIONNAIRE

The specific Standard (STD), Interpretation (INT) or Practice Advisory (PA) applicable to each item is indicated in brackets.

1.Attribute Standard 1000, “Purpose, Authority, and Responsibility”

/ Yes / No / N/A

a.Is the purpose, authority and responsibility of Internal Audit formally defined in an internal audit charter? [STD 1000]

b.Is the purpose, authority and responsibility consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards? [STD 1000]

c.Does the CAE periodically review the charter and present it to senior management and the Board for approval? [STD 1000]

d.Is the nature of assurance and consulting services defined in the

charter? [STD 1000.A1]

e.If assurances are provided to thirdparties, is the nature of these assurances defined in the charter? [STD 1000.A1]

f.Does the charter establish

internal Audit’s position in the CU

nature of the CAE’s functional reporting relationship with the Board? [INT 1000]

g.Does the charter authorize access to

records

personnel

physical properties

relevant to audit performance? [INT 1000]

h.Does the charter define the scope of Internal Audit activities? [INT 1000]

i.Does final approval of the charter reside with the Board? [INT 1000]

j.Does the CAE periodically assess whether Internal Audit’s purpose, authority and responsibility, as defined in the charter, continue to enable Internal Audit to accomplish its objectives? [PA 1000-1 #2]

2.Determine compliance with Attribute Standard 1010 “Recognition of the Definition of Internal Auditing, the Code of Ethics and the Standards in the Internal Audit Charter”:

/ Yes / No / N/A

a.Does the charter recognize the mandatory nature of the Definition of Internal Auditing, the Code of Ethics and the Standards? [STD 1010]

b.Does the CAE discuss the Definition, the Code and the Standards with senior management and the Board? [STD 1010]

3.Determine conformance with Attribute Standard 1100 “Independence and Objectivity”:

/ Yes / No / N/A

a.Is Internal Audit independent and objective in performing their work? [STD 1100]

b.Is Internal Audit free from conditions that threaten Internal Audit’s ability to carry out Internal Audit’s responsibilities in an unbiased manner? [INT 1100]

c.Does the CAE have direct and unrestricted access to senior management and the Board? [INT 1100]

d.Is there an unbiased mental attitude that allows Internal Audit to perform audits in such a manner that they believe in their work product and that no quality compromises are made? [INT 1100]

e.Does Internal Audit not subordinate its judgment on audit matters to others? [STD1100]

f.Are threats to independence and objectivity managed at the individual auditor, audit, functional and Credit Union levels? [INT 1100]

4.Determine conformance with Attribute Standard 1110, “Organizational Independence”:

/ Yes / No / N/A

a.Does the CAE report to a level within the Credit Union that allows Internal Audit to fulfill its responsibilities? [STD 1110]

b.Does the CAE confirm to the Board, at least annually, the

organizational independence of Internal Audit? [STD 1110]

c. Does the Board approve the charter and risk based audit plan? [INT 1110]

d.Does the CAE communicate with the Board on Internal Audit’sperformance relative to the audit plan? [INT 1110]

e.Does the Board approve decisions regarding the appointment and removal of the CAE? [INT 1110]

f.Does the Board make appropriate inquiries of management and the CAE to determine whether there is inappropriate scope or resource limitations? [INT 1110]

g.Does support from senior management and the Board assist Internal Audit in gaining the cooperation of audit clients and performing their work free from interference? [PA 1110-1 #1]

h.If the CAE does not report to the Board, does the CAE report to an individual in the Credit Union with sufficient authority to promote independence and to ensure

broad audit coverage

adequate consideration of audit communications

appropriate action on audit recommendations? [PA 1110-1 #2]

5.Determine conformance with Attribute Standard 1110.A1 “Free from Interference”:

/ Yes / No / N/A

a.Is Internal Audit free from interference in determining the scope of internal auditing, performing work and communicating results? [STD 1110.A1]

6.Determine conformance with Attribute Standard 1111 “Direct Interaction With the Board”:

/ Yes / No / N/A

a.Does the CAE communicate and interact directly with the Board? [STD 1111]

b.Does the CAE regularly attend and participate in Board meetingsthat relate to the Board’s oversight for auditing, financial reporting, governance and control OR does the CAE meet privately with the Board at least annually [PA 1111-1]

c.Is the CAE apprised of business and operational developments? [PA 1111-1 #1]

d.Does the CAE raise high-level risk, systems, procedures or control issues at an early stage [PA 1111-1 #1]

7.Determine conformance with Attribute Standard 1120, “Individual Objectivity”:

/ Yes / No / N/A

a.Do Internal Auditors have an impartial, unbiased attitude and avoid any conflict of interest? [STD 1120}

b.Do Internal Auditors NOT have competing professional or personal interests that make it difficult to fulfill duties impartially? [INT 1120]

c.Are there NOT any appearances of impropriety that can undermine confidence in Internal Audit and the profession [INT 1120]

d.Are Internal Auditors not placed in situations that could impair their ability to make objective professional judgments? [PA1120-1 #1]

e.Does the CAE organize staff assignments that prevent potential and actual conflict of interest and bias, periodically obtaining information from the staff concerning potential conflict of interest, and rotating Internal Audit staff assignments periodically? [PA1120-1 #2]

f.Is Internal Audit work results reviewed before audit communications are released to provide reasonable assurance that the work was performed objectively? [PA1120-1 #3]

g.Does the Internal Auditor avoid designing, installing, or drafting procedures for operating systems? [PA1120-1 #4]

h.If the Internal Auditor performs non-audit work occasionally, is there full disclosure in the reporting process? [PA1120-1 #5]

i.If the Internal Auditor performs non-audit work occasionally, is there careful consideration by management and the Internal Auditor to avoid adversely affecting the Internal Auditor’s objectivity. [PA1120-1 #5]

8.Determine conformance with Attribute Standard 1130, “Impairment to Independence or Objectivity”:

/ Yes / No / N/A

a.If independence or objectivity is impaired in fact or appearance, are the details of the impairment disclosed to appropriate parties? [STD 1130]

b.Are Internal Auditors required to disclose:

personal conflict of interest

scope limitations

resource limitations [INT 1130]

c.Are Internal Auditors given unrestricted accessto:

records

personnel

properties [INT 1130]

d.Do Internal Auditors report to the CAE any situations in which an actual or potential impairment to independence or objectivity may reasonably be inferred? [PA 1130-1 #1]

e.Do Internal Auditors report to the CAE if they have questions about whether a situation constitutes an impairment to objectivity or independence? [PA 1130-1 #1]

f.Are scope limitations evaluated to determine if they preclude Internal Audit from accomplishing its objectives and plans? [PA 1130-1 #2]

g.Are scope limitations and the potential effects communicated in writing to the Board? [PA 1130-1 #3]

h.Do Internal Auditors decline fees, gifts or entertainment from employees, members, vendors or business associates that may create the appearance that the Auditor’s objectivity has been impaired? [PA 1130-1 #4]

i.Do Internal Auditors report immediately the offer of all material fees or gifts to their supervisors? [PA 1130-1 #4]

j.Are persons who are transferred to, or temporarily engaged by, Internal Audit not assigned to audit activities they previously performed or for which they had management responsibility until at least 1 year has elapsed? [PA 1130.A1-1]

k.Do Internal Auditors refrain from accepting responsibility for non-audit functions or duties that are subject to periodic Internal Audit assessments? [PA 1130.A2-1 #1]

9.Determine conformance with Attribute Standard 1130.A1, “Assessing Operations for Which Internal Auditors Were Previously Responsible”:

/ Yes / No / N/A

a.Does Internal Audit refrain from assessing specific operations for which they were previously responsible [STD 1130.A1-1]

b.Does Internal Audit NOT provide assurance services for an activity for which the auditor had responsibility within the previous year? [1130.A1-1]

10.Determine conformance with Attribute Standard 1130.A2, “Internal Audit’s Responsibility for Other (Non-audit) Functions”

/ Yes / No / N/A

a.Are assurance audits for which the CAE has responsibility overseen by a party outside of Internal Audit [STD 1130.A2]

b.When Internal Audit accepts operational responsibilities and that operation is part of the Internal Audit plan, does the CAE use a contracted third party to complete audits of those areas reporting to the CAE? [PA 1130.A2-1 #4]

c.Are Internal Audit’s operational responsibilities disclosed in the related audit report of those areas reporting to the CAE and in Internal Audit’s standard Board communication? [PA 1130.A2-1 #5]

11.Determine conformance with Attribute Standard 1200, “Proficiency and Due Professional Care”:

/ Yes / No / N/A

a.Are audits performed with proficiency and due professional care? [STD 1200]

b.Does the CAE ensure that auditors assigned to each audit collectively possess the necessary knowledge, skills and other competencies to conduct the audit appropriately? [PA1200-1, #1].

c.Do Internal Auditors conform with the Code of Ethics, the Credit Union’s code of conduct and codes of conduct for other professional designations held by the Internal Auditor? [PA1200-1, #2].

12.Determine conformance with Attribute Standard 1210, “Proficiency”:

/ Yes / No / N/A

a.Do Internal Auditors possess the knowledge, skills and other competencies needed to perform their individual responsibilities? [STD 1210]

b.Does Internal Audit collectively possess or obtain the knowledge, skills and other competencies needed to perform its responsibilities? [STD 1210]

c.Do Internal Auditors demonstrate their proficiency by obtaining appropriate professional certifications and qualifications? [INT 1210]

d.Are Internal Auditors proficient in applying internal audit standards, procedures, and techniques in performing audits? [PA 1210-1 #1]

e.Are Internal Auditors proficient in accounting principles and techniques if internal auditors work extensively with financial records and reports? [PA 1210-1 #1]

f.Do Internal Auditors have an understanding of management principles to recognize and evaluate the materiality and significance of deviations from good business practice? [PA 1210-1 #1]

g.Do Internal Auditors have an appreciation of the fundamentals of business subjects such as accounting, economics, commercial law, finance, quantitative methods, risk management, and fraud? [PA 1210-1 #1]

h.Are Internal Auditors skilled in dealing with people, understanding human relations and maintaining satisfactory relationships with audit clients? [PA 1210-1 #1]

i.Are Internal Auditors skilled in oral and written communications and able to clearly and effectively convey audit objectives, evaluations, conclusions and recommendations? [PA 1210-1 #1]

j.Has the CAE established suitable criteria of education and experience for filling internal audit positions? [PA 1210-1 #2]

k.Has the CAE obtained reasonable assurance as to each prospective auditor’s qualifications and proficiency? [PA 1210-1 #2]

l.Is there an annual analysis of Internal Audit’s knowledge, skills and other competencies? [PA 1210-1 #3]

13.Determine conformance with Attribute Standard 1210.A1 “Obtaining External Service Providers to Support or Complement Internal Audit”

/ Yes / No / N/A

a.Does the CAE obtain competent advice and assistance if the Internal Auditors lack the knowledge, skills or other competencies needed to perform all or part of an audit? [STD 1210.A1]

b.When the CAE uses the work of an external service provider, does the CAE perform appropriate vendor due diligence? [PA 1210.A1-1 #s4,5]

c.Does vendor due diligence include assessing the relationship of the vendor to the Credit Union and to Internal Audit to ensure independence and objectivity? [PA 1210.A1-1 #6]

d.If the vendor is the Credit Union’s CPA firm and the nature of the service is extended audit services, does the CAE determine that work performed does not impair the CPA firm’s independence? [PA 1210.A1-1 #8]

e.Does the CAE obtain proposals, engagement letters or contracts with sufficient information regarding the scope of the vendor’s work? [PA 1210.A1-1 #9]

14.Determine conformance with Attribute Standard 1210.A2 “Fraud Knowledge”

/ Yes / No / N/A

a.Do Internal Auditors have sufficient knowledge to evaluate the risk of fraud and the manner in which fraud is managed by the Credit Union? [STD 1210.A2]

15.Determine conformance with Attribute Standard 1210.A3 “Technology Knowledge”

/ Yes / No / N/A

a.Do Internal Auditors have sufficient knowledge of key information technology risks and controls? [STD 1210.A3]

b.Do Internal Auditors have available technology-based audit techniques to perform their assigned work? [STD 1210.A3]

16.Determine conformance with Attribute Standard 1220, “Due Professional Care”:

/ Yes / No / N/A

a.Do Internal Auditors apply the care and skill expected of a reasonably prudent and competent internal auditor? [STD 1220]

b.Are Internal Auditors alert to the possibility of

fraud

intentional wrongdoing

errors and omissions

inefficiency

waste

ineffectiveness

irregularities

conflicts of interest? [PA 1220-1 #1]

c.Do Internal Auditors identify inadequate controls and recommend improvements to promote conformance with procedures? [PA 1220-1 #1]

d.Do Internal Auditors conduct examinations and verifications to a reasonable extent? [PA 1220-1 #2]

e.Do Internal Auditors NOT give absolute assurance that noncompliance or irregularities do not exist? [PA 1220-1 #2]

17.Determine conformance with Attribute Standard 1220.A1 “Due Professional Care Considerations”:

/ Yes / No / N/A

a.Do Internal Auditors consider

the extent of work needed to achieve audit objectives

the complexity, materiality or significance of matters to which audit procedures are applied? [STD 1220.A1]

b.Do Internal Auditors consider the adequacy and effectiveness of governance, risk management and control processes? [STD 1220.A1]

c.Do Internal Auditors consider the probability of significant errors, fraud or noncompliance? [STD1220.A1]

d.Do Internal Auditors consider the cost of the audit in relation to potential benefits? [STD 1220.A1]

18.Determine Conformance with Attribute Standard 1220.A2 “Technology Based Audit”:

/ Yes / No / N/A

a.Do Internal Auditors consider the use of technology-based audit and other data analysis techniques? [STD 1220.A2]

19.Determine Conformance with Attribute Standard 1220.A3 “Significant Risks”

/ Yes / No / N/A

a.Are Internal Auditors alert to significant risks that might affect objectives, operations or resources? [Standard 1220.A3]

20.Determine conformance with Attribute Standard 1230, “Continuing Professional Development”:

/ Yes / No / N/A

a.Do Internal Auditors enhance their knowledge, skills and other competencies through continuing professional development? [STD 1230]

b.Have Internal Auditors stayed informed about improvements and current developments in internal audit standards, procedures, techniques and guidance? [PA 1230-1 #1]

c.Have Internal auditors pursued continuing professional education (related to the Credit Union’s activities and credit union industry) to maintain proficiency with regard to the governance, risk and control processes unique to the Credit Union? [PA 1230-1 #3]

d.Have Internal Auditors with professional certifications obtained sufficient CPE to satisfy recertification requirements? [PA 1230-1 #5]

21.Determine conformance with Attribute Standards 1300 “Quality Assurance and Improvement Program”:

/ Yes / No / N/A

a.Has the CAE developed and maintained a quality assurance and improvement program (QA&IP) that covers all aspects of Internal Audit? [STD 1300]

b.Is the QA&IP designed to enable an evaluation of Internal Audit’s conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors apply the Code of Ethics? [INT 1300]

c.Does the QA&IP assess the efficiency and effectiveness of Internal Audit and identify opportunities for improvement? [INT 1300]

d.Has the CAE implemented processes designed to provide reasonable assurance to the various stakeholders that Internal Audit is adding value and improving the Credit Union’s operations? [PA 1300-1 #2]

e.Is the QA&IP sufficiently comprehensive to encompass all aspects of Internal Audit operation and management? [PA 1300-1 #3]

f.Is the QA&IP Process performed by or under the direct supervision of the CAE? [PA 1300-1 #3

22.Determine conformance with Attribute Standard 1310, “Requirements of the QA&IP”

/ Yes / No / N/A

a.Does the QA&IP include both internal and external assessments? [STD 1310]

b.Is there an ongoing and periodic assessment of the entire work performed by Internal Audit? [PA 1310-1 #1]

c.Are assessments composed of

rigorous, comprehensive processes

continuous supervision and testing of Internal Audit work

periodic validations of conformance with the Definition, the Code and the Standards? [PA 1310-1 #1]

d.Is there ongoing measurements and analyses of performance metrics (e.g. plan accomplishment, cycle time, recommendations accepted, customer satisfaction)? [PA 1310-1 #1]

e.If assessment results indicate areas for improvement by Internal Audit, does the CAE implement the improvements through the QA&IP? [PA 1310-1 #1]

f.Do assessments evaluate and conclude on Internal Audit quality and lead to recommendations for appropriate improvements? [PA 1310-1 #2]

g.Does the QA&IP include an evaluation of

adequacy of the Internal Audit charter, goals, objectives, policies and procedures

contribution to the Credit Union’s governance, risk management, and control processes

effectiveness of continuous improvement activities and adoption of best practices

the extent to which Internal Audit adds value and improves the Credit Union’s operations [PA 1310-1 #2]

h.Do QA&IP efforts include follow-up on recommendations involving appropriate and timely modification of resources, technology, processes, and procedures? [PA 1310-1 #3]

i.Does the CAE report to senior mgmt. and the Board on the quality program efforts and results at least annually? [PA 1310-1 #4]