Top Ten Issues facing Internal Auditing in the Future The IIA Dallas Chapter April 6, 2006 Presented by: David A. Richards, CIA, CPA President The Institute of Internal Auditors
[email protected] 1 www.theiia.org
Agenda •What should Internal Auditors do? •Top Ten areas for internal auditors to focus on for the future •How can The IIA help? 2 www.theiia.org
Definition of Internal Auditing: Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the risk management, control and governance processes. (Approved by the Board of Directors 6/26/99)
3 www.theiia.org
What do Internal Auditors Do? • Help solve problems • Confirm accuracy of information • Ensure assets are properly safeguarded • Confirm compliance to laws & regulations • Help improve the effectiveness and efficiency of processes • Investigate fraud situations • Provide a resource for skills 4 www.theiia.org
What are our Constituents saying about us? • Communication needs improvement (AC, Mgt, EA) • Focus needs better alignment • Resources/skills need assessment • Top areas for attention: control, risk, fraud, IT • Assessment of results presentation 5 www.theiia.org
Where are we now??? Image do we have? What type of Outputs do we produce? What Process do we follow? What ability do we have to control the future? What indicators do we have of how we
• What • • • •
are doing?
6 www.theiia.org
Where are we now???
Image • • • •
Corporate “cop” Compliance focused Partner Source of value creation • Involved in corporate initiatives • Customer focused 7 www.theiia.org
Where are we now???
Outputs
• Findings / causes • Recommendations • Implementation help • Post implementation verification / confirmation of results that resolve issues • Anticipate customer needs 8 www.theiia.org
Where are we now???
Process
• Cycle • Risk based • Customer input • Customer focused / driven • Competitive (Bid) • Proactive vs. reactive 9 www.theiia.org
Agenda •What should Internal Auditors do? •Top Ten areas for internal auditors to focus on for the future •How can The IIA help? 10 www.theiia.org
#1:Fraud Audit Techniques 11 www.theiia.org
Fraud Responsibilities • Internal Auditing – Fraud risk identification & response – – – – – –
Investigating Fraud cases Fraud consideration in each audit Support Hot Line Support Education & Training Help Ethics Officer – Fraud Program Help establish Corporate Compliance Program 12 www.theiia.org
Fraud Aspects
•Awareness •Training •Identification •Investigation 13 www.theiia.org
#2:Technology Expertise 14 www.theiia.org
Assessing IT Controls • Understanding IT Controls – – – –
• • • • •
Governance, Management, Technical General / Application Preventive, Detective, Corrective Information Security
Importance of IT Controls Roles & Responsibilities for IT Controls Based on Risk Monitoring techniques Assessment Process 15 www.theiia.org
GAIT Scoping Example For • • • •
financial reporting, the scope of IT control testing has three primary axes: What business processes are in scope? Which business processes are relevant to financial reporting (e.g., materiality)? How significant is the business process to the financial reporting objective? What other transactional controls exist that may create assurance of the business process integrity (e.g., manual settlement and balancing)? Example: 10 revenue generating systems; external auditors won’t look at all 10, but will concentrate on the 3 that compose 85%. • For those business processes in scope, what IT assets are considered relevant to financial reporting (e.g., distance and percentage of controls embedded in IT)? Example: 10 revenue generating systems; external auditors won’t look at all 10, but will concentrate on the 3 that compose 85% of the overall revenues. • What level of controls evaluation and testing is required to create sufficient assurance for management to make the assertions related to IT change and IT entitlements transactions (e.g., completeness, accuracy, etc.)? • What are the types of controls in place? The level of assurance goes from highest to lowest, in the following order: • automated and preventive • automated and detective: • manual and preventive • manual and detective
16 www.theiia.org
#3:Governance Auditing 17 www.theiia.org
Governance – Key Words • Expectations – What is needed for Success: Policies, procedures, guidance, organization, assignment of responsibilities • Communications – Informing & Training
• Accountability – holding people accountable for meeting expectations 18 www.theiia.org
IIA Standards-Governance • 2130-Governance • The internal audit activity should contribute to the organization's governance process by evaluating and improving the process through which (1) values and goals are established and communicated, (2) the accomplishment of goals is monitored, (3) accountability is ensured, and (4) values are preserved
19 www.theiia.org
Allocation of IA Effort
Audit Effort
Best Practice reviews Perfo
rm au dits o f des e ffecti speci i gn & venes fic go s of verna nce p roces ses Provide advice with focus on Establishing Governance Structure
Less Structured
More Structured Governance Model 20 www.theiia.org
What Should IA Do? Setting Expectations: IA should: -- Help drafting of policies, procedures, processes, guidance to utilize their - knowledge - expertise -- Ensuring Controls are build into processes not added on
21 www.theiia.org
What Should IA Do? Communicate: IA should: -- Assist in training programs on - Ethics - Risk identification - Control options - Fraud awareness -- Design programs -- Participation in training sessions 22 www.theiia.org
What Should IA Do? Accountability: IA should: -- Perform objective assessments using systematic, disciplined approach that incorporates an evaluation of evidence -- Ensure compliance to management directives by comparison of actual to criteria -- Assist in evaluation of processes to ensure efficient operations and effective accomplishment of objectives 23 www.theiia.org
#4:Internal Control Assessment & Opinion 24 www.theiia.org
Control • Defining Key Controls • Assessing Control Effectiveness • Opinion
25 www.theiia.org
Control A Process Effected by an Entity’s Board of Directors, Management and Other Personnel, Designed to Provide Reasonable Assurance regarding the Achievement of Objectives in the following categories: --Effectiveness & Efficiency of Operations --Reliability of Financial Reporting --Compliance with Applicable Laws & Regulations --Safeguarding of Assets COSO Definition
26 www.theiia.org
Opinion on IC • Evaluation criteria & structure • Scope • Who has responsibility for IC • Type of opinion – Positive assurance • Binary • Graded • Directional
– Negative assurance – Qualified 27 www.theiia.org
• • • • • • • • • • •
Issues
Estimates Closing Process Journal Entries Reconciliations Assignment of Responsibilities Accountability Ethics Risk Assessment Governance (Principles) IT Controls Analysis & Monitoring 28 www.theiia.org
#5:Risk Assessment Approach 29 www.theiia.org
5. Risk Assessment • Knowledge • Use • Reporting • Audit Committee & Risk • ERM & IA
30 www.theiia.org
Definition • IIA Research Report A rigorous
and coordinated approach to assessing and responding to all risks that affect the achievement of an organization’s strategic and financial objectives. This includes both upside and downside risks.
31 www.theiia.org
Key Concepts – Premises • ERM enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value
32 www.theiia.org
Core Roles for IA on ERM • Giving assurance on risk management processes. • Giving assurance that risks are correctly evaluated. • Evaluating risk management processes. • Evaluating the reporting of key risks. • Reviewing the management of key risks. 33 www.theiia.org
Roles IA Can Do • Facilitating identification and evaluation of risks. • Coaching management in responding to risks. • Coordinating ERM activities. • Consolidating the reporting on risks. • Maintaining and developing the ERM framework. • Championing establishment of ERM. • Developing risk management strategy for board approval
34 www.theiia.org
Roles IA should NOT do • • • • •
Setting the risk appetite. Imposing risk management processes. Management assurance on risks. Taking decisions on risk responses. Implementing risk responses on management's behalf. • Accountability for risk management. 35 www.theiia.org
R TI N G
NS
CO M
O
O TI RA E P
R EP O
R ST
G TE A
IC
PL IA NC E
ERM Framework – What’s New?
ENTITY - LEVEL
Event Identification Risk Assessment Risk Response Control Activities
BUSINESS UNIT DIVISION
Objective Setting
Information and Communication Monitoring
36 www.theiia.org
SUBSIDIARY
Internal Environment
MARKET/EXTERNAL RISK Competitor Sensitivity Investor Capital Availability Sovereign/Political Legal Regulatory Industry Financial Markets Business Interruption Collateral Catastrophic Loss Sourcing Interest Rate Currency Commodity Equity BUSINESS PROCESS RISK Cash Flow Concentration (Liquidity) Concentration (Credit) Efficiency Customer Satisfaction Performance Gap Cycle Time Dispatch Pension Fund Compliance Planning Product/Service Failure Opportunity Costs Environmental Scan Pricing Product Development Regulatory Reporting (Operating) Regulatory Reporting (Financial) Resource Allocation Taxation Collective Bargaining
SYSTEM & TOOLS RISK Integrity Access Availability Infrastructure
MANAGEMENT REPORTING O P E R ARISK TIONAL RISK Accounting Information Contract Commitment Financial Reporting Evaluation Relevance Treasury Reporting
FACILITIES & EQUIPMENT RISK Capacity Environmental Health & Safety Obsolescence/Shrinkage MODEL & ASSUMPTION RISK Budget & Planning Financial Instrument Investment Evaluation Performance Measurement (Process) Valuation COUNTERPARTY RISK Default Outsourcing Settlement
ORGANIZATION, MANAGEMENT & STRUCTURE RISK Authority/Limit Change Readiness Communications Employee Fraud Human Resources Illegal Acts Leadership Management Fraud Organization Structure Performance Incentives Unauthorized Use BUSINESS STRATEGY AND POLICY RISK Alignment Business Portfolio Credit Policy Life Cycle Performance Measurement 37 www.theiia.org Reputation Trademark/Brand Name Erosion
Essential – Process OBJECTIVES
EVENTS
INHERENT RISK
RESPONSES
RESIDUAL RISK
38 www.theiia.org
Essential – The Big Picture High Impact/ Low Likelihood
High Impact/ High Likelihood
Low Impact/ Low Likelihood
Low Impact/ High Likelihood
39 www.theiia.org
#6:Time Management 40 www.theiia.org
#7:Willingness to “step up to the plate & be counted” 41 www.theiia.org
#8:Observation Skills Application 42 www.theiia.org
#9:Consultancy / Process Analysis Skills 43 www.theiia.org
#10:Communication Skills
44 www.theiia.org
Agenda •What should Internal Auditors do? •Top Ten areas for internal auditors to focus on for the future •How can The IIA help? 45 www.theiia.org
The IIA Vision The global voice of the internal auditing profession: advocating its value, promoting best practice, and providing exceptional service to its members. 46 www.theiia.org
The IIA Mission Statement
The mission of The Institute of Internal Auditors is to provide dynamic leadership for the global profession of internal auditing. Activities in support of this mission will include but will not be limited to:
1. Advocating and promoting the value that internal audit professionals add to their organizations; 2. Providing comprehensive professional growth opportunities; standards and other professional practice guidance; and certification programs; 47 www.theiia.org
The IIA Mission Statement (Continued)
3. Researching, disseminating, and promoting to practitioners and stakeholders knowledge concerning internal auditing and its appropriate role in control, risk management, and governance; 4. Educating practitioners and other relevant audiences on best practices in internal auditing; and 5. Bringing together internal auditors from all countries to share information and experiences. 48 www.theiia.org
IIA Mission is to provide: ÎGuidance & Standards ÎCertification Program ÎResearch ÎPromotion of the Profession ÎForum for interchange ÎTraining 49 www.theiia.org
IIA Top Needs
•Advocacy •Globalization •Service to Members 50 www.theiia.org
Advocacy • Position papers • Key Constituent Groups • Link to IIA Advocate • Advocacy Specific Plan for each Group – Objective – Approach – Measures of success 51 www.theiia.org
Global Initiatives • Guidance Planning • Academic Relations • Government Auditors • SOA / Control Assessment • Technology Based Learning • Service Providers • Knowledge Management • Customer Service 52 www.theiia.org
Global Initiatives • Branding • Certification (CBT) • Translations on Website • Webcasts • Bill Bishop Memorial Fund Project • Global Seminars • IT – GTAG & GAIT 53 www.theiia.org
Global Initiatives • International Conference Model • GAIN • Flash Surveys • Capacity Development • Website Redesign • CIA Training Course • Career Board 54 www.theiia.org
Operations - Service • • • • • •
Website Information Affiliate Relations (restructure) Membership (growth & retention) New Computer Systems (Cust Serv) Bookstore – global reach CIA (exam training, CAE testing, Support) • Quality Assessment (SAWIV, tools, QA Manual) • Publications – On line delivery 55 www.theiia.org
The Internal Auditing Activity is a key element in an On-going Monitoring and Oversight Program within an Organization. It demonstrates Management & Board commitment to ensuring accuracy, efficiency, and effectiveness of operations & reporting. 56 www.theiia.org
