Document

Download Report

Transcript Document 

Quality Assessments
Lessons Learned/Best Practices
Thomas A. Johnson, CIA
November 13, 2007
CBIZ Risk & Advisory Services, LLC
1
Agenda
 Requirement
 Benefits
 Attributes of a “World-Class”
Internal Audit
 Quality and Quality Assessment
 Keys to an Effective QA
 Common Observations
 Leading Practices
CBIZ Risk & Advisory Services, LLP
2
Requirement
 IIA Standard 1312- Requires an external assessment be
performed by a competent and independent firm at least
every 5 years.
 Good ‘business practice” to provide an independent
evaluation of internal audit as well as identifying
potential ways to improve the process.
 With Sarbanes-Oxley and other demands placed on Audit
Committees and Internal Audit, a Quality Assurance
Review serves to provide an assessment that the various
Internal Audit responsibilities are being discharged
effectively and efficiently.
CBIZ Risk & Advisory Services, LLP
3
Benefits
 Current State of “Conformance to the
Standards”.
 Builds stakeholder confidence by showing
management’s commitment to quality and
leading practices.
 Demonstrates that the Audit Committee and
Internal Audit are concerned about the
success of the organization’s internal
controls, governance and risk management
processes.
CBIZ Risk & Advisory Services, LLP
4
Benefits
 PCAOB Audit Standard 2 states “The
external auditor may use the work of
internal auditors particularly when
internal auditors are in compliance
with the Standards.”
 Observations on benchmarking &
identification of successful practices
 Recommendations for improvement
aimed at adding value to the
organization.
CBIZ Risk & Advisory Services, LLP
5
Benefits
 Identify Expectation Gaps
 Among key stakeholder
expectations
 Current state & desired state of
performance
 Recommendations aimed at adding
value to the organization
 Internal marketing tool strengthening
credibility and promoting integrity
CBIZ Risk & Advisory Services, LLP
6
Attributes of a “World-Class Internal
Audit Activity
Empowered & Respected by
Management and Board
Objective and Independent
Highly Talented
Risk Focused
Proactive
Technology Driven
CBIZ Risk & Advisory Services, LLP
7
Empowered and Respected
 Best Reporting Structure
 Functionally – Audit Committee
 Administratively- CEO
 Respected at All Levels
 Value-Added Business Advisors
 “Out of the box” thinking
 Provides effective resources and
solutions to business challenges
CBIZ Risk & Advisory Services, LLP
8
Objective and Independent
 Seen as providing unbiased views
of the organization.
 Have no real or apparent conflicts
of interest
 Independent of the activities they
audit
 “No-No’s”
 Designing and installing systems
 Drafting of procedures
CBIZ Risk & Advisory Services, LLP
9
Highly Talented
 Highly talented professionals
(certified) with unique combinations
of skills & experiences
 Hiring and Retention
 Rotation in and out
 Constantly adding value
 Collectively possess the essential
skills
 Consideration for co-sourcing
 Must commit to a program of
continuous development
CBIZ Risk & Advisory Services, LLP
10
Risk Focused
 Allocates Time & Resources Based
on Risk
 Annual and Long Term Plans
 Individual Engagements
 Identifies critical risks & exposures
before they become significant
issues
 Shares “lessons learned” across
common business units and
processes
CBIZ Risk & Advisory Services, LLP
11
Proactive
 Proactive, not only reactive
 Right balance between protecting and
enhancing shareholder value
 Level of consultative support
correlates with the organizations
fluidity
 E.g., a flat, decentralized
organization likely requires
significant support in analyzing
business risks and transferring
company-wide best practices then a
highly centralized organization
CBIZ Risk & Advisory Services, LLP
12
Technology & Process Driven
 Utilizes “state-of-the-art”
technology to:
 Reduce Risks
 Identify potential problems in nearly
real time
 Increase productivity
 Continuously improve the control
environment and communications
 Be committed to a program of
continuous improvement
CBIZ Risk & Advisory Services, LLP
13
Foundation of World-Class Audit
Departments
 The International Standards for the
Professional Practice of Internal
Auditing and the Code of Ethics
are the foundation for all worldclass functions.
CBIZ Risk & Advisory Services, LLP
14
Quality Components
 Adherence to the Code of Ethics
 Practicing in accordance with the
Standards
 Continued Professional Development
 Audit Practice is continuous
improvement oriented
CBIZ Risk & Advisory Services, LLP
15
Quality Assurance
 To Evaluate Quality- Objectively
measure internal audit process
 To maintain Quality- Fully commit
to professional growth and
development
 To ensure Quality- Maintain quality
assurance and improvement
program
CBIZ Risk & Advisory Services, LLP
16
Quality Standards
 Internal audit must establish a quality
assurance program that includes
both:
 Ongoing and periodic internal QA’s
 External QA a minimum of once
every 5 years
 Failure precludes IA from using the
statement “conducted in accordance
with the International Standards for
the Professional Practice of Internal
Auditing.”
CBIZ Risk & Advisory Services, LLP
17
Keys to an Effective QA
 Understanding the Professional
Practices Framework
 Awareness and Implementation of
the Standards
 Internal audit quality programs and
initiatives
 Leading practices in applying the
Standards
CBIZ Risk & Advisory Services, LLP
18
Professional Practices Framework
 Definition of Internal Auditing
 The Code of Ethics
 The Standards
 Practice Advisories
 Topical Index to the Practice
Advisories
CBIZ Risk & Advisory Services, LLP
19
Purpose of a Quality Assessment
 Assess conformance to the
Standards
 Assess the effectiveness and
efficiency of the internal audit
activity
 Identify opportunities for
improvement
 Improving performance
 Image of the department
CBIZ Risk & Advisory Services, LLP
20
Scope of External Assessments
 Conformance with the Standards & the
Code of Ethics & the IA’s charter, plan,
policies, procedures and applicable
laws & regulatory requirements
 The expectations of the IA as
expressed by the board, executive
management and operational
management
 The integration of the IA into the
governance process, including the
relationships between and among the
key groups involved in the process
CBIZ Risk & Advisory Services, LLP
21
Scope (Cont’d)
 Tools and techniques
 Mix of knowledge, experience and
disciplines within the staff,
including the focus on process
improvement
 Determination that the internal
audit activity adds value and
improves the organization’s
operations
CBIZ Risk & Advisory Services, LLP
22
Areas of Focus
 The Mandate of the IA Activity
 The Relationship between IA & the
Audit Committee
 IA Reporting Lines
 Staffing of Internal Audit
 Obtaining & Maintaining Competency
 Coordination with External Audit
 Developing the Internal Audit Plan
 Reporting Findings & Recommendations
CBIZ Risk & Advisory Services, LLP
23
Areas of Focus
 Follow-Up of Corrective Action
 Fraud
 Internal Quality Program
 Sufficiency of IA Resources
 Support from Senior Management
 Evaluation by the Audit Committee
CBIZ Risk & Advisory Services, LLP
24
Common Findings
 Charters not current, inadequate
and/or misaligned
 Lacking support or sponsorship by top
management
 Department structure issues
 Reporting lines
 Alignment with the organization
 Insufficient business knowledge
and/or technology capabilities
 Lack of a defined and documented
risk assessment
CBIZ Risk & Advisory Services, LLP
25
Common Findings
 Linkage of risk assessment to plan
 Impact of Sar-Box
 Lack of external input to risk
assessment
 Audit Universe Deficiencies
 Ineffective resource planning,
including training
 Inadequate IT Coverage
 Limited use of technology
 Infrequent management interaction
CBIZ Risk & Advisory Services, LLP
26
Common Findings
 Lack of Performance
Measurements
 Failure to Track Auditors’ Time
 Inconsistent/Incomplete Work
Papers
 Lack of a defined and documented
Quality Assurance and
Improvement Program
 Insufficient reporting to the Audit
Committee
CBIZ Risk & Advisory Services, LLP
27
Leading Practices
 Enterprise Risk Assessment
 Rigorous and coordinated approach
 Assessing all risks that affect the
organizations strategic & financial
objectives
 Risk & Control Self Assessment
 Using Control Frameworks (COSO)
 Effectiveness & Efficiency of Operations
 Reliability of Financial Reporting
 Compliance with Laws & Regulations
CBIZ Risk & Advisory Services, LLP
28
Leading Practices
 Partnering with Management
 Risk Assessment & Annual Audit Planning
 Long Term Audit Plans
 Usually three years
 Higher risk areas should be reviewed
more frequently within the 3 year plan
 Frequent modifications to long term plan
 Developing Staff
 Goal of 80 hours of training
 Stretch Objectives & Performance
Measures
 Certification
CBIZ Risk & Advisory Services, LLP
29
Leading Practices
 Communicating More Effectively
 User friendly format
 Executive summary, with clear concise
information and opinion
 Regular reporting of issues to the Audit
committee
 “Marketing” IA function
• Brochure
• Intranet
CBIZ Risk & Advisory Services, LLP
30
Leading Practices
 Using Technology





Data extraction and analysis
Fraud detection/prevention
Network security assessment
Automated work-papers
Audit administration tools
 Benchmarking
 Performance measurements
CBIZ Risk & Advisory Services, LLP
31
Questions
?
?
?
?
?
?
?
CBIZ Risk & Advisory Services, LLP
32
Follow-Up
Tom Johnson
[email protected]
330-759-0046
CBIZ Risk & Advisory Services, LLP
33