In today's environment, an effective quality assurance and improvement program (QAIP) is critical to ensuring that internal audit meets the requirements of the audit committee, executive management, and other stakeholders. Internal and external assessments are key parts of the QAIP, and a robust QAIP incorporates many elements that are part of an organization's day-to-day activities. The ILA Practice Guide, Quality Assurance and Improvement Program, states, "Quality in internal audit begins with the structure and organization of the audit activity. Quality should be built into, and not onto, the way the activity conducts its business--through its internal audit methodology, policies and procedures, and human resource practices." By embedding quality into processes, rather than treating it as extra work, external quality assessments (EQAs) become a turnkey operation.
Fannie Mae has approximately 106 internal audit employees, performing 95 to 110 audits per year. A professional practice group comprising six full-time employees administers the QAIP. The group also is responsible for internal operations and reporting, and approximately 50 percent of its time is focused on the QAIP.
The QAIP is a regulatory requirement whose scope covers all operations of the internal audit department, including audits, reviews, audit issue follow-up, and special projects. Most of the program's components have been in place since before 2007; however, heightened requirements for financial services companies and the internal audit profession require Fannie Mae Internal Audit to continually refine and expand the program.
Because of the size and complexity of the enterprise, and to demonstrate continued compliance with The IIA's International Standards for the Professional Practice of Internal Auditing (Standards), internal audit has had an EQA performed more often than the required five-year period. In the 2014 EQA, internal audit received the highest rating--Generally Conforms--from The ILA's Quality Services team. Before that, audit's last EQA was in 2010, and going forward, it plans to have one performed every three years.
Fannie Mae considered several processes when looking at the overall quality of its internal audit function. And while process design may differ from organization to organization, having these processes in place is a key step toward building a high-quality department.
INDEPENDENCE AND OBJECTIVITY
To strengthen independence, Fannie Mae's CAE reports directly to the chair of the audit committee and administratively to the CEO. Additionally, the audit committee sets the CAE's compensation, and the audit department has goals that are completely separate from those of the overall organization.
An independence and objectivity policy provides required actions related to various situations that may lead to potential impairments, including the transfer of the CAE or audit staff from the business units into the internal audit department, cosourcing engagements, an auditors personal relationship with a member of the business unit being audited or consideration of employment with a business unit, scope limitations, and consulting/advisory engagements.
All internal transfers to internal audit complete an independence questionnaire to identify areas where there may be a conflict affecting objectivity. If a potential conflict is identified, the auditor is prohibited from participating in audits of that area for 12 months. This is monitored through a potential conflicts log that is reviewed in conjunction with scheduling. A similar independence questionnaire is completed by any cosource or staff augmentation personnel that is considered before bringing the resource on board. As an additional protection, each assurance engagement includes an assessment of the objectivity of the engagement team members. This assessment is documented in the engagement workpapers.
Finally, audit personnel receive annual training on the policy,...