Top Ten Issues facing Internal Auditing in the Future

1 www.theiia.org Top Ten Issues facing Internal Auditing in the Future The IIA Dallas Chapter April 6, 2006 Presented by: David A. Richards, CIA, CPA...

13 downloads 644 Views 1MB Size
Top Ten Issues facing Internal Auditing in the Future The IIA Dallas Chapter April 6, 2006 Presented by: David A. Richards, CIA, CPA President The Institute of Internal Auditors [email protected] 1 www.theiia.org

Agenda •What should Internal Auditors do? •Top Ten areas for internal auditors to focus on for the future •How can The IIA help? 2 www.theiia.org

Definition of Internal Auditing: Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the risk management, control and governance processes. (Approved by the Board of Directors 6/26/99)

3 www.theiia.org

What do Internal Auditors Do? • Help solve problems • Confirm accuracy of information • Ensure assets are properly safeguarded • Confirm compliance to laws & regulations • Help improve the effectiveness and efficiency of processes • Investigate fraud situations • Provide a resource for skills 4 www.theiia.org

What are our Constituents saying about us? • Communication needs improvement (AC, Mgt, EA) • Focus needs better alignment • Resources/skills need assessment • Top areas for attention: control, risk, fraud, IT • Assessment of results presentation 5 www.theiia.org

Where are we now??? Image do we have? What type of Outputs do we produce? What Process do we follow? What ability do we have to control the future? What indicators do we have of how we

• What • • • •

are doing?

6 www.theiia.org

Where are we now???

Image • • • •

Corporate “cop” Compliance focused Partner Source of value creation • Involved in corporate initiatives • Customer focused 7 www.theiia.org

Where are we now???

Outputs

• Findings / causes • Recommendations • Implementation help • Post implementation verification / confirmation of results that resolve issues • Anticipate customer needs 8 www.theiia.org

Where are we now???

Process

• Cycle • Risk based • Customer input • Customer focused / driven • Competitive (Bid) • Proactive vs. reactive 9 www.theiia.org

Agenda •What should Internal Auditors do? •Top Ten areas for internal auditors to focus on for the future •How can The IIA help? 10 www.theiia.org

#1:Fraud Audit Techniques 11 www.theiia.org

Fraud Responsibilities • Internal Auditing – Fraud risk identification & response – – – – – –

Investigating Fraud cases Fraud consideration in each audit Support Hot Line Support Education & Training Help Ethics Officer – Fraud Program Help establish Corporate Compliance Program 12 www.theiia.org

Fraud Aspects

•Awareness •Training •Identification •Investigation 13 www.theiia.org

#2:Technology Expertise 14 www.theiia.org

Assessing IT Controls • Understanding IT Controls – – – –

• • • • •

Governance, Management, Technical General / Application Preventive, Detective, Corrective Information Security

Importance of IT Controls Roles & Responsibilities for IT Controls Based on Risk Monitoring techniques Assessment Process 15 www.theiia.org

GAIT Scoping Example For • • • •

financial reporting, the scope of IT control testing has three primary axes: What business processes are in scope? Which business processes are relevant to financial reporting (e.g., materiality)? How significant is the business process to the financial reporting objective? What other transactional controls exist that may create assurance of the business process integrity (e.g., manual settlement and balancing)? Example: 10 revenue generating systems; external auditors won’t look at all 10, but will concentrate on the 3 that compose 85%. • For those business processes in scope, what IT assets are considered relevant to financial reporting (e.g., distance and percentage of controls embedded in IT)? Example: 10 revenue generating systems; external auditors won’t look at all 10, but will concentrate on the 3 that compose 85% of the overall revenues. • What level of controls evaluation and testing is required to create sufficient assurance for management to make the assertions related to IT change and IT entitlements transactions (e.g., completeness, accuracy, etc.)? • What are the types of controls in place? The level of assurance goes from highest to lowest, in the following order: • automated and preventive • automated and detective: • manual and preventive • manual and detective

16 www.theiia.org

#3:Governance Auditing 17 www.theiia.org

Governance – Key Words • Expectations – What is needed for Success: Policies, procedures, guidance, organization, assignment of responsibilities • Communications – Informing & Training

• Accountability – holding people accountable for meeting expectations 18 www.theiia.org

IIA Standards-Governance • 2130-Governance • The internal audit activity should contribute to the organization's governance process by evaluating and improving the process through which (1) values and goals are established and communicated, (2) the accomplishment of goals is monitored, (3) accountability is ensured, and (4) values are preserved

19 www.theiia.org

Allocation of IA Effort

Audit Effort

Best Practice reviews Perfo

rm au dits o f des e ffecti speci i gn & venes fic go s of verna nce p roces ses Provide advice with focus on Establishing Governance Structure

Less Structured

More Structured Governance Model 20 www.theiia.org

What Should IA Do? Setting Expectations: IA should: -- Help drafting of policies, procedures, processes, guidance to utilize their - knowledge - expertise -- Ensuring Controls are build into processes not added on

21 www.theiia.org

What Should IA Do? Communicate: IA should: -- Assist in training programs on - Ethics - Risk identification - Control options - Fraud awareness -- Design programs -- Participation in training sessions 22 www.theiia.org

What Should IA Do? Accountability: IA should: -- Perform objective assessments using systematic, disciplined approach that incorporates an evaluation of evidence -- Ensure compliance to management directives by comparison of actual to criteria -- Assist in evaluation of processes to ensure efficient operations and effective accomplishment of objectives 23 www.theiia.org

#4:Internal Control Assessment & Opinion 24 www.theiia.org

Control • Defining Key Controls • Assessing Control Effectiveness • Opinion

25 www.theiia.org

Control A Process Effected by an Entity’s Board of Directors, Management and Other Personnel, Designed to Provide Reasonable Assurance regarding the Achievement of Objectives in the following categories: --Effectiveness & Efficiency of Operations --Reliability of Financial Reporting --Compliance with Applicable Laws & Regulations --Safeguarding of Assets COSO Definition

26 www.theiia.org

Opinion on IC • Evaluation criteria & structure • Scope • Who has responsibility for IC • Type of opinion – Positive assurance • Binary • Graded • Directional

– Negative assurance – Qualified 27 www.theiia.org

• • • • • • • • • • •

Issues

Estimates Closing Process Journal Entries Reconciliations Assignment of Responsibilities Accountability Ethics Risk Assessment Governance (Principles) IT Controls Analysis & Monitoring 28 www.theiia.org

#5:Risk Assessment Approach 29 www.theiia.org

5. Risk Assessment • Knowledge • Use • Reporting • Audit Committee & Risk • ERM & IA

30 www.theiia.org

Definition • IIA Research Report A rigorous

and coordinated approach to assessing and responding to all risks that affect the achievement of an organization’s strategic and financial objectives. This includes both upside and downside risks.

31 www.theiia.org

Key Concepts – Premises • ERM enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value

32 www.theiia.org

Core Roles for IA on ERM • Giving assurance on risk management processes. • Giving assurance that risks are correctly evaluated. • Evaluating risk management processes. • Evaluating the reporting of key risks. • Reviewing the management of key risks. 33 www.theiia.org

Roles IA Can Do • Facilitating identification and evaluation of risks. • Coaching management in responding to risks. • Coordinating ERM activities. • Consolidating the reporting on risks. • Maintaining and developing the ERM framework. • Championing establishment of ERM. • Developing risk management strategy for board approval

34 www.theiia.org

Roles IA should NOT do • • • • •

Setting the risk appetite. Imposing risk management processes. Management assurance on risks. Taking decisions on risk responses. Implementing risk responses on management's behalf. • Accountability for risk management. 35 www.theiia.org

R TI N G

NS

CO M

O

O TI RA E P

R EP O

R ST

G TE A

IC

PL IA NC E

ERM Framework – What’s New?

ENTITY - LEVEL

Event Identification Risk Assessment Risk Response Control Activities

BUSINESS UNIT DIVISION

Objective Setting

Information and Communication Monitoring

36 www.theiia.org

SUBSIDIARY

Internal Environment

MARKET/EXTERNAL RISK Competitor Sensitivity Investor Capital Availability Sovereign/Political Legal Regulatory Industry Financial Markets Business Interruption Collateral Catastrophic Loss Sourcing Interest Rate Currency Commodity Equity BUSINESS PROCESS RISK Cash Flow Concentration (Liquidity) Concentration (Credit) Efficiency Customer Satisfaction Performance Gap Cycle Time Dispatch Pension Fund Compliance Planning Product/Service Failure Opportunity Costs Environmental Scan Pricing Product Development Regulatory Reporting (Operating) Regulatory Reporting (Financial) Resource Allocation Taxation Collective Bargaining

SYSTEM & TOOLS RISK Integrity Access Availability Infrastructure

MANAGEMENT REPORTING O P E R ARISK TIONAL RISK Accounting Information Contract Commitment Financial Reporting Evaluation Relevance Treasury Reporting

FACILITIES & EQUIPMENT RISK Capacity Environmental Health & Safety Obsolescence/Shrinkage MODEL & ASSUMPTION RISK Budget & Planning Financial Instrument Investment Evaluation Performance Measurement (Process) Valuation COUNTERPARTY RISK Default Outsourcing Settlement

ORGANIZATION, MANAGEMENT & STRUCTURE RISK Authority/Limit Change Readiness Communications Employee Fraud Human Resources Illegal Acts Leadership Management Fraud Organization Structure Performance Incentives Unauthorized Use BUSINESS STRATEGY AND POLICY RISK Alignment Business Portfolio Credit Policy Life Cycle Performance Measurement 37 www.theiia.org Reputation Trademark/Brand Name Erosion

Essential – Process OBJECTIVES

EVENTS

INHERENT RISK

RESPONSES

RESIDUAL RISK

38 www.theiia.org

Essential – The Big Picture High Impact/ Low Likelihood

High Impact/ High Likelihood

Low Impact/ Low Likelihood

Low Impact/ High Likelihood

39 www.theiia.org

#6:Time Management 40 www.theiia.org

#7:Willingness to “step up to the plate & be counted” 41 www.theiia.org

#8:Observation Skills Application 42 www.theiia.org

#9:Consultancy / Process Analysis Skills 43 www.theiia.org

#10:Communication Skills

44 www.theiia.org

Agenda •What should Internal Auditors do? •Top Ten areas for internal auditors to focus on for the future •How can The IIA help? 45 www.theiia.org

The IIA Vision The global voice of the internal auditing profession: advocating its value, promoting best practice, and providing exceptional service to its members. 46 www.theiia.org

The IIA Mission Statement

The mission of The Institute of Internal Auditors is to provide dynamic leadership for the global profession of internal auditing. Activities in support of this mission will include but will not be limited to:

1. Advocating and promoting the value that internal audit professionals add to their organizations; 2. Providing comprehensive professional growth opportunities; standards and other professional practice guidance; and certification programs; 47 www.theiia.org

The IIA Mission Statement (Continued)

3. Researching, disseminating, and promoting to practitioners and stakeholders knowledge concerning internal auditing and its appropriate role in control, risk management, and governance; 4. Educating practitioners and other relevant audiences on best practices in internal auditing; and 5. Bringing together internal auditors from all countries to share information and experiences. 48 www.theiia.org

IIA Mission is to provide: ÎGuidance & Standards ÎCertification Program ÎResearch ÎPromotion of the Profession ÎForum for interchange ÎTraining 49 www.theiia.org

IIA Top Needs

•Advocacy •Globalization •Service to Members 50 www.theiia.org

Advocacy • Position papers • Key Constituent Groups • Link to IIA Advocate • Advocacy Specific Plan for each Group – Objective – Approach – Measures of success 51 www.theiia.org

Global Initiatives • Guidance Planning • Academic Relations • Government Auditors • SOA / Control Assessment • Technology Based Learning • Service Providers • Knowledge Management • Customer Service 52 www.theiia.org

Global Initiatives • Branding • Certification (CBT) • Translations on Website • Webcasts • Bill Bishop Memorial Fund Project • Global Seminars • IT – GTAG & GAIT 53 www.theiia.org

Global Initiatives • International Conference Model • GAIN • Flash Surveys • Capacity Development • Website Redesign • CIA Training Course • Career Board 54 www.theiia.org

Operations - Service • • • • • •

Website Information Affiliate Relations (restructure) Membership (growth & retention) New Computer Systems (Cust Serv) Bookstore – global reach CIA (exam training, CAE testing, Support) • Quality Assessment (SAWIV, tools, QA Manual) • Publications – On line delivery 55 www.theiia.org

The Internal Auditing Activity is a key element in an On-going Monitoring and Oversight Program within an Organization. It demonstrates Management & Board commitment to ensuring accuracy, efficiency, and effectiveness of operations & reporting. 56 www.theiia.org